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EXECUTIVE  SUMMARY 


The  Air  Force  currently  has  several  ongoing  propulsion  technology  development  programs  including  the 
signiricanf  joint  development  with  NASA  of  the  Advartcod  Launch  System  (ALS).  Previous  investigation  by 
Air  Force  Astronautics  Laboratory  and  others  has  indicated  that  launch  vehicle  reliability  is  perhaps  the 
key  driving  parameter  for  development  program  success. 

Given  the  key  role  played  by  reliability,  AFAL  requested  that  SAIC  undertake  a  study  of  propulsion 
system  reliability  development.  The  objective  of  this  study  was  to  identify,  and  where  possible  quantify  and 
prioritize,  propulsion  techniques  related  to  launch  vehicle  reliability. 

The  study  was  to  include  visits  to  an  engine  manufacturer,  a  launch  vehicle  systems  contractor,  and  NASA 
sites  to  develop  information  to  sup(.  Lament  literature  searches  and  independent  research  to  provide  a  base 
of  information  sufficient  to  allow  SAIC  to: 

•  Assess  Current  Practice  and  the  Resulting  Historical  Reliability  Data  Base 

•  Investigate  Potential  Reliability  Enhancing  Methodologies  and  to 

•  Quantify  and  Prioritize  the  Methodologies 

The  Study  results  indicated  that  current  launch  vehicle  reliability  levels  are  in  the  order  of  90  -  95% 
This  is  substantially  below  future  Air  Force  system  requirements  of  99  -  99.9%.  Investigation  into  how 
these  historical  levels  of  reliability  could  be  significantly  improved  resulted  in  the  development  of  the 
following  SIX  key  recommendations  for  the  consideration  of  the  Air  Force  and  AFAL. 

1 .  Failure  correlation  factors  are  key  factors  of  interest  to  design  decision  makers.  Specific  studies, 
which  address  what  factors  have  been  achieved  in  the  past  and  what  design  trades  have  been  made  to  ensure 
the  low  factors  quoted  by  contractors  are  achievable,  appear  to  be  lacking.  The  Air  Force  should  consider 
requiring  that  such  studies  be  undertaken. 

2.  Variability  Control,  especially  of  residual  variability,  may  be  the  key  barrier  to  high  launch 
reliability  achievement.  The  Air  Force  should  consider  requiring  that  some  specific  program  for 
variability  control  be  included  in  future  propulsion  technology  development  programs. 

3.  Reusability  has  been  shown  to  have  indirect,  potentially  negative,  impacts  on  high  reliability 
achievement.  The  trade-otfs  which  exist  between  high  reliability  and  reusability  should  be  clearly 
identified  and  included  in  propulsion  programmatic  decision  making. 

4.  Risk  Management  has  been  shown  to  have  potential  benefits  in  maintaining  the  high  reliability  of 
oroorams  in  other  industries.  The  advisability  of  risk  management  being  included  as  an  integral  part  of 
propulsion  system  development  should  be  considered. 

5.  Reliability  Performance  Indicators  should  be  developed  whose  trend  trajectories  lead,  or  presage, 
the  occurrence  of  reliability  problems  so  that  program  management  action  can  be  taken  prior  to  the 
development  of  reliability  problems. 

6.  Reliability  Growth  Forecasting  is  important  during  the  development  of  systems  with  high  reliabil¬ 
ity  requirements.  This  is  especially  true  when  program  economics  prohibit  extensive  development  test 
flights.  Reliability  growth  approaches  should  be  investigated  and  applied  as  appropriate  to  propulsion 
system  development  programs. 
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OBJECTIVE 


'  ne  objeclive  of  this  effort  was  to  identify,  and  where  possible  quantlry  and  pnc-nti/e,  liquid  and  soiid 
-ouision  design  parameters,  development  methodologies,  and  production'operdtions  techniques  related 
i  >urich  vehicle  reliability. 


KEY  RECOMMENDATIONS 

The  following  areas  have  been  identified  as  having  significant  reliability  impact.  These  areas  each 
.■'rant  further  in-depth  study  if  the  high  reliability  goals  of  the  Air  Force  advanced  launch  veh;cie 
-  ams  are  to  be  achieved  in  an  operational  system. 

'  aiiure  Correlation* 

I  ne  percentage  of  failures  which  are  likely  to  impact  more  than  one  engme  in  a  multi-engine  design  is 
'  critical  design  import.  This  percentage,  or  “failure  correlation  factor,"  must  bo  well  below  20%  for 
.  ^biiitv  oriented  design  approaches  such  as  engine  out  capability  to  be  efiecniv-;-  me  lowm  n  . 

:  -  :  30-0  the  more  effective  is  this  hueristically  pleasing  design  option  Not  r.urp'’:.  c.  •  '' 

'.nor  new  engine  design  characteristics  quote  extremely  low  factors  .as  !o-.  •-  r ■'  ■.  r:  i.o*  c  o' 

■  .i  1  out  of  1 00  do  not  seem  consistent  with  other  design  para  mot;-  c,  .  '.'cc  :  j.;"'  ao  c.  - 

and  are  considerably  lower  than  factors  achieved  on  rocern  engine  aesicnc  ;  ?  g.  :7V,  tor  tiu: 
I'iC  mam  engine  test  program).  Finally,  there  did  not  appear  to  be  any  significant  consideration  oivi-r 
...V  nese  low  factors  would  be  achieved  in  practice. 

-erornmeudation  1  -  Failure  correlation  factors  are  key  reiiabiliiy  parameters  to  7.;r  Force  laimicc 
.  e  design  decision  makers.  Specific  studies  such  as  parameter  design  studies  which  address  what 
rors  have  been  acitieved  in  the  past  and  what  design  trades  have  been  made  to  ensure  the  low  factors  quotoc 
■.',e  evident  in  the  reliability  designs  appear  to  be  lacking,  it  is  .eccnmended  that  these  investid.ctici'^ 
vdde  prior  to  the  selection  of  any  design  alternative. 

variability  Control 

■  iie  currently  achieved  launch  vehicle  reliability  has  been  shown  by  this  investigation  to  be  below  0  d:' 

.'  v'cvar,  the  investigation  uncovered  examples  of  reliabilities  in  other  somewhat  similar  systen's  su.. 
bjc'ical  .missile  systems,  which  routinely  achieve  0.99  and  some  which  approach  0.999.  These  systems 
:  operational  reliabilities  currently  meet  or  exceed  the  reliability  requiremerits  for  the  Air  r 
..^n  launch  system  have  achieved  these  high  reliability  levels  thrcugri  tfio  c'  ipteriswe  varoeoi  o.y 
■-  o:  -jiograms.  While  it  would  be  inappropriate  to  make  any  direct  correlation  between  tactical  missoe.? 
.  ch  vehicles,  if  is  also  clear  from  a  review  of  the  raHure  drda  o*  mature  r  eys.erns  the!  - 
.,  . ,  igudir- ant iy  higher  reliabilities  niay  be  the  residuji  w-j ;  ..to  w  ..  r  ;ni  i.  :  ■  :  I, 

r  >1"  a.'ss  A  CL’r=orv  review  ft' ot^er  somew*’.?!  . ..ce.  ...i 

.'.  s  turbines  and  recent  Air  Force  variability  reduction  studies  perfotineo  as  part  of  the 
.  u  gr.  m,  provide  further  support  for  this  argument. 

■v.e'oommendation  2  -  Residual  variability  may  be  the  key  barrier  to  high  hunch  vehieh  leliao'h  v 
..voment  For  this  reason,  it  is  recommended  that  investigations  he  rc.rids  mio  tro  ehem  venec.  o 
iic  variability  control  programs  such  as  Taguchi  methods  or  aiternar we-  ;  ne,'.-'  mvectigi  '  n.s  st;  ■■  .  d 


■jvuinit'on  cited  h'Dre  is  broader  than  that  used  traditionally  by  propulsion  systerr-,  dpr.m”:""-. 
i  .in  .q!  the  dilforence 


be  directed  at  determining  the  applicability  of  the  methods  to  the  launch  vehicle  production  process.  It  is 
further  recommended  that  some  specific  program  for  variability  control  be  included  throughout  all  phases 
of  the  advanced  launch  system  program. 

3.  Reusability 

Reusability  is,  on  the  surface,  a  design  goal  of  significant  program  benefit.  However,  the  benefits  of 
reusabiity  are  significantly  compromised  if  the  reliability  of  an  engine  is  adversely  affected  by  the 
requirement.  Besides  the  direct  costs  involved  in  developing  a  reusable  design,  there  also  appears  to  be 
significant  indirect  costs  which  are  required  to  maintain  reliability  in  a  reusable  design.  For  example, 
reusability  by  its  very  nature  tends  to  decrease  the  production  run.  When  production  runs  are  decreased, 
investments  in  automated  production  equipment  become  less  economical  and  the  production  process 
therefore  tends  to  become  more  prototypical.  Prototypical  production,  especially  of  complex  equipment, 
increases  the  problems  associated  with  variability  control  and  therefore  substantial  postproduction  testing 
may  be  required  to  ensure  high  reliabilities.  A  good  example  of  such  an  indirect  impact  on  reusability  was 
seen  at  the  Rocketdyne  SSME  production  facility  in  Canoga  Park,  California. 

Recommendation  3  -  Reusability  has  been  shown  to  have  indirect  and  potentially  negative  impacts  on 
the  achievement  of  high  reliabilities  at  reasonable  cost.  The  indirect  impacts  of  reusability  on  reliability 
and  cost  through  such  mechanisms  as  variability  control  problems  should  be  thoroughly  investigated  and 
the  results  of  this  investigation  included  in  the  programmatic  decision  making  related  to  reusability. 

4  Risk  Management 

Achievement  of  high  operational  reliabilities  in  such  areas  as  nuclear  power  plant  safety  systems  have 
been  signihcardy  py  ^  oontirvally  active  program  that  attempts  to  identify  the  risks  to  reliable 

operation  and  to  address  them  according  to  their  importance.  Such  a  risk  management  program  has  been 
investigated  and  recommended  by  NASA  SRM  &  OA  for  future  projects,  but  it  is  not  clear  whether  a  risk 
management  program  is  planned  for  the  acquisition  of  advanced  launch  systems. 

'^Recommendation  4  -  The  Air  Force  should  investigate  the  advisability  of  incorporating  a  risk 
management  program  as  an  integral  part  of  any  launch  system  prog-'am 

5.  Reliability  Performance  Indicators  and  Trending 

For  high  reliability  programs  it  is  important  to  identify,  early  on,  symptoms  of  the  process  which  pre¬ 
sage  deterioration  in  performance.  This  has  been  done  in  the  financial  community,  in  the  commercial 
aircraft  community  and  in  the  nuclear  power  safety  community  by  the  development  of  a  set  of  'leading" 
performance  indicators  and  developing  performance  trends  based  upon  the  indicator  trajectories  through 
time.  If  such  a  set  of  indicators  could  be  developed  and  trended  for  advanced  propulsion  system  development 
programs,  the  indicator  trajectories  might  provide  early  warning  of  problems  arising  during  development 
and  operation.  This  early  warning  could  provide  the  time  required  to  institute  corrective  action  before 
actual  program  reliability  performance  is  affected. 

Recommendation  5  -  The  Air  Force  should  develop  as  part  of  advanced  propulsion  system  development 
programs  a  set  of  potential  indicators  of  programmatic  reliability  performance.  This  indicator  set  should 
be  based  originally  on  historical  information,  but  later  updated  and  validated  as  advanced  propulsion  system 
development  programs  specific  information  becomes  available 
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’eJiability  Growth  Analysis 

!n  ail  developmental  systems  a  certain  degree  of  reliability  growth  is  to  be  expected  Howeve^  progfcini 
anagers  need  to  know  the  pace  of  the  expected  growth  so  that  they  can  determine  it  tne  program  is  likely 
'  eet  the  operational  reliability  goals  within  developmental  time  constraints  An  understand. ng  ot  'tie 
1,  ■vtti  process  is  therefore  essential  to  the  determination  of  the  proper  role  to  be  played  by  history  in  tr-.o 
-  i  ecasting  of  future  system  reliability.  If  an  historical  failure  has  been  analyzed  and  its  cause  determir  e,- 
:'id  suitable  corrective  action  is  implemented  to  prevent  its  recurrence,  it  is  recognized  that  if  would  ha. , 
s  orcbability  of  occurring  again  diminished  when  it  is  utilized  for  predicting  future  performance  But  tv 
cw  much"^  The  determination  ot  how  much  each  failure  should  be  counted  is  important  in  orderto  estatnsri 
■  f  proper  “calibration"  for  the  reliability  growth  characteristic  to  be  used  lo  determine  now  v  .*  ' 
:.b'  ity  development  is  proceeding.  Several  approaches  have  been  developed  to  address  the  ssim-  c 
•  /vth  Among  those  developed  are  the  early  works  of  Duane  at  GE,  that  of  David  Lloyd  of  TRW  and  tn.a' 
:  -eloped  by  Dr.  Yu  Shen  of  SAIC  as  part  of  this  study.  In  addition,  Bayesian  approaches  may  shew  prom  *  - 
.  '  improved  growth  forecasting. 

eiecemmendation  6  -  Reliability  growth  forecasting  is  important  during  'no  ii.  ■  •  irrimeM  o'  oy:  e 
■  .gn  reliability  requirements  such  as  ALS.  Accurate  growth  torecasts  .ii:>  -v  p'oeo,;,-.  -  -  , 

.  oe  early  on  if  reliability  requirements  are  likely  lO  be  met  iTr,  •  •.  '-v.;  a  >,  ■  m  o  u *  •>  s 
:  economics  prohibit  extensive  development  test  flights  as  IS  ’  .•  i  ,  u:  Se-e  -c*-  ' 

•  r’uv  exiSt  to  allow  for  forecasts  to  be  generated:  however,  furtner  aeveiopr'ie  •-!  is  reaui'ed  to  r.. :  i 
j  u-ascnable  growth  forecast  is  developed  for  advanced  propulsion  syste'n  deve.opmeiit  progisn  • 

.'  .'lure  recommended  that  the  concept  of  reliability  growth  be  fun.her  deveiopeci  .3s  '  .ipn  ■ 

.  •  !  p  opuision  system  development  programs. 


4 


BACKGRCXJND 


'-r  Al  caifcfit'y  rdS  sevo  ai  ongc:ng  lo^hrclcgy  dev-aiODnisjnl  pioyiams  that  are  aimed 

i;!  launcti  v.'hjree  applications  A  fimpamenta:  goa!  tor  any  no//  la^jOch  vehicle  is  lovv  cost  One  element  ot  cost 
that  IS  ipceiving  increasing  levels  ot  national  attention  is  tn-a  cost  ot  urireiiabiiity.  This  issue  was 
highlighted  Dy  the  recent  series  of  catastrophic  launch  failures.  These  failures  included  two  Titans,  a  Delta, 
an  Atlas,  and  a  Shut'le  All  were  lost  in  a  period  of  2  years  Historical  data  bases  indicate  that  in  general 
'aunch  vehicle  reliability  against  catastrophic  failure  is  approximately  0.92.  This  value  is  dominated  by 
propuisio!;  system  failures  and  is  unacceptably  low  for  any  luture  launch  vehicles 


The  caditicnai  methodologies  for  the  development  of  propulsion  systems  ha'/e  in'.'o'ved  the  use  of 
'  ad'iionai  rrtanufacturing  methodologies  coupled  with  traditional  design  'ne'hodolcqir  s  ‘hat  assume  son'c 
nic-a'L.'-e  0^  hafety  factor  :n  the  design  process  The  traditional  issun  that  was  tundamei'i.a;  to  launch  vehu.u: 
app  ications  was  that  the  vehicle  payload  capability  was  highly  sensitive  to  the  mass  properties  Hence, 
mapims  were  decreased  to  the  maximum  extent  possible  during  the  design  phes-'-  f  here  remains  a  distinct 
de'.eiopment  transition  to  flight  weight  hardware  m  most  aerospace  develcpmcnts.  Reliability  was  only 
sjb'Oquently  evaluated  as  a  secondary  concern.  Point  estimate  techniques  for  estimating  application 
"eiiabihty  were  employed  rather  than  rigorous  statistical  feshng  Manufacturing  process  control  was 
■  rst  Ujic'J  alter  development  m  order  to  qualify  vehicles  for  manned  flight  or  higher  confidence  of  success 
following  catastrophic  failures  It  is  apparent  that  in  order  to  achieve  higher  levels  of  'eliabilify  m 
crociT''-  co  svT'oms,  anc  hence  in  the  launch  vehicles  alternative  development  approaches  need  to  b- 
explored 


Tnere  nave  been  several  suggested  approaches  to  achieving  higher  reliability.  Design  for  reliability 
pnhosophies  include  redundancy  techniques  and  higher  design  margins.  Process  control  advocates  point  to 
human  error  contributions  to  failure  and  article  to  article  variations,  proposing  that  more  automated 
production  and  higher  levels  of  quality  control  and  non  destructive  testing  will  achieve  desired  reliability 
It  IS  fundamentally  assumed  that  design  engineers  should  be  more  aware  of  ultimate  reliability  and 
orodLiCibility  issues  as  they  pursue  designs  Inevitably,  the  greatest  stumbling  block  to  achieving  higher 
feliabillty  goals  is  limited  funding  available  for  development  and  qualification  programs  and  the  historical 
'ehabiiity  approach  perspective,  wnich  consigns  probablistic  techniques  to  only  the  top  most  levels  ot 
program  analysis  and  evaluation  While  history  has  shown  it  to  be  true  that  m  the  ultimate  design 
reliability  not  only  costs  nothing  but  will  produce  significant  cost  benefits,  this  is  not  true  in  the  near  term 
dusign  development  phase  Here  reliability  tasks  increase,  at  least  initially,  the  cost  and  they  do  so  in  an 
environment  where  funding  is  scarce  and  where  reliability  needs  must  compete  with  other  more  visible 
programmatic  needs  (such  as  performance  upgrades).  In  such  an  environment  of  new  program  development 
within  strict  resource  constraints  reliability  resources  can  be  eroded  in  favor  of  programmatic  needs 
considered  more  immediate  unless  investments  in  reliability  are  "fenced  in"  early  and  not  confused  with 
management  reserves. 


s 


1.0  (TASK  1)  CURRENT  PRACTICE  AND  DATA  BASE  ASSESSMENT 


'  Curient  Practice 
M  1  Current  Practice  Background 

Corporations  involved  in  the  design,  manufacture,  test  and  operation  of  propulsion  systems  generally 

■  ave  infrastructures  that  result  from  specific  government  agency  requirements.  Those  controls  which 
■xist  within  any  given  infrastructure  that  have  an  impact  on  reliability  also  exist  largely  due  to  government 
rqnirements  At  the  highest  level  these  controls  consist  primarily  of  Failure  Modes  and  Effects  Analysis 

As  I  and  Problem  (or  Failure)  Reporting  and  Corrective  Action  Systems  (  PRACAs/FRACAs).  ATlhougn 
•ese  controls  have  had  a  positive  impact  on  reliability  the  impact,  because  it  is  often  somewhat  indirect. 
:  ■'C!  readily  measurable.  Thus,  it  is  difficult  io  ascertain  quantitatively  that  spending  a  given  amount  of 
uurces  on  FMEAs  or  PRACAs  will  in  fact  pay  off.  In  addition,  there  are,  at  least  in  the  initial  phases  cf 
."  cg-arn  development,  few  financial  incentives  for  “better”  reliability  even  though  the  costs  of  laiUire 
'  3:e  substantial  down  stream  benefits  from  investing  in  reliability.  Furthct more  even  if  there  were 

.  c  \ty  incentives,  if  would  be  difficult  for  manufacturers  to  know  where  io  spend  ‘hej;  scare  t' 
-curves  to  obtain  the  best  reliability  returns.  This  is  primarily  due  to  inconsisten!  or  ,,ori  exisieni 
-  lOiiiiv  data  bases. 

-  '  oroblem  is  further  compounded  by  the  constraint  nf  sample  size  on  the  measurement  of  acnievec 

■  '  ..c.  'ty  in  highly  reliable  systems.  In  other  words,  to  demonstrate  that  a  given  reliability  has  been 
■  v  ;a  at  a  reasonable  confidence  level,  a  large  number  of  systems  must  be  tested  It  is  obvious  that  m 

:  iSGS  tn.s  approach  is  not  practical  from  a  cost/schedule  standpoint.  This  is  not  to  say  that  presently 
:  '  ec)  reliabilities  are  inadequate  to  satisfy  the  previously  and  currently  existing  requirements.  In  fact, 
a  attained  reliabiiity  of  any  propulsion  system  is  generally  based  on  relatively  small  sample  sizes  anc 
.■  underlying  assumption  that  each  propulsion  system  firing  is  independent  of  all  otriers.  This  simply 
ans  tfiat  while  we  may  not  know  precisely  (from  a  reliability  standpeu-d)  where  we  are  now,  we  do  know 
x.  e  we  are  well  enough  to  understand  that  we  are  far  from  the  high  reliability  goals  desired  of  future 
r-  propulsion  systems. 

..  w uvur,  the  relevant  question  is  not  where  we  are  now,  but  how  can  an  improvemenl  in  'eiiabiiity  b- 
'  /Gd  ^  Because  of  the  relative  nature  of  this  question,  it  may  turn  out  that  accurately  prediciing 
.r,.:  ly  imprcvernents  is  easier  than  measuring  attained  reliability. 

'  ;  .  M a]or  Activities  Constituting  Infrastructures 

c  'unding  limitations  it  was  not  possible  to  revisit  manLda:;'ire'’v  in  order  !o  he,''efi‘  ■''om  'ho  ‘p;  " 
-••-.rug  ■'•om  the  initial  visit.  The  revisits  would  he,,.,  -f  rm;  i,.;,:  on  zc-cn 

■-  .  •'  u.  bill  on  transoortation  and  s'orage  >s  we'' 

■;uc"d  visits  would  be  used  to  form  a  clearer  picture  of  the  detailed  approaches  taken  by  licuid  and 

:  '•  .Uiu'acturers. 

■ ;  /vo.'Of,  based  on  the  initial  visits  taken,  six  major  activities  have  been  identified  in  tfie  life  cycle 
.  ornpLiision  system:  design,  manufacturing,  test,  transportation,  storage,  and  operation  The 

■  .  :,;ru' uurv  that  has  evolved  has  cerdered  on  design,  manufacturing  ar.d  test  Activities  related  to 
.  pj  :  it  un  storage  and  operation  tend  io  be  restricted  to  problem  co'i-runo  ■  ra'her  tuan  a  planned 
neg-y  to  anticipate  problems. 
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Desion  -  The  Design  activity  primarily  involves  the  creation  of  a  system  :h 
requirements  ol  a  contract  Typicaiiy  a  design  is  generated  vand  g aos  ihrough  a  desic, 
consisting  ot  preimnnary ,  critical,  and  tinal  design  rsii views.  Tt’.e  lOview  ot 
achieverTient  duiing  these  reviews  is  currently  oasod  ibenauso  c'  the  lack  or  -a  data 
for  propulsion  systems) ,  upon  the  manutaciurei  s  euginoering  junigement  oi  ori  qua 
specific  failure  modes  whose  elimination  or  muigation  is  again  based 
recommondatiens  which  are  iudgementally  based  and  therefore  difiTcuit  to  object 
probability  oi  being  successiuii;.  araieved  in  the  mipiornentcd  design. 


.at  meets  the  specified 
n  leview  process  usually 
'ei'ability  requiremeni 
'led  historical  data  base 
litat:  va  review  of  design 
upon  manufacturer's 
've.y  assess  as  to  their 


ring  -  Once  the  transition  is  made-  from  design  to  manuiactui'ing.  the  activdies  focus  on  how 


■ii.siyitig  Quality 
rnariisms  for  this 
n. (actors  are  also 


marrpowcr  and  materials  rcqui''ed  to  p 
iai-utaetcring  pmcedu  es  and  t'c  .  din 


on!  ■ 


mutually  prose 


I  c  li'O  cystom  vui'i 
grams  arc  the  ^j-i.aary  i 
'ib^-d  by  ciionts,  primes  a;  d  .Tinjor  sem 


i.mposad. 


Tesimg  .sct'vh  cs  primmriiv  involve  qualification  a.cu  raa;o!;iiity  t  m.tmc  '  .my  are  primarily 
irtended  to  test  the  functional  adequacy  cr  the  potential  of  a  given  design  ic'uieniertaiian.  In  trur  v  ay  they 
can  ''e,ariv  maicate  that  a  prorulsm'n  system  performance  spc-c'hcation  such  as  t'Trust  to  weight  ratio,  a 
snec.uc  impu-se  has  not  been  achieved,  but  they  only  indirecdy  indicate  lack  cf  reliability  achievement. 
This  IS  esoecia  11/  true  of  now  designs  Those  tests  do  not  usually  invofye  eno'jgn  tost  time  tor  numbers  of 
s/siens'  to  oroduce  a  statistically  significant  indication  of  system  reliability  capability  When  failures 
do  occur,  they  may  have  been  induced  by  consciously  over  exiendit.g  the  design  limits.  In  fact,  the  tests  may 
be  conducted  to  determine  design  weaknesses  through  'est  failure  so  that  me  failures  car  be  examined  and 
corrective  action  taken  to  improve  the  design.  These  tests  therefore  irray  not  always  provide  useful 
inlormaticn  concerning  the  assessment  of  system  reliability  capability  although  they  certainly  do  produce 
information  uselul  to  reliapility  improvement. 


Transportation  -  Transportation  activities  can  have  obvious  negative  impacts  on  reliability  due  to  the 
influence  ot  shock,  vibration,  humidity,  and  thermal  transients.  These  and  other  environmental  actors  r-qn 
act  independently  or  synergistically  to  decrease  reliabiliiy.  Controls  are  in  place  dictating  packaging  and 
handling  requirements  primarily  through  specifications.  Unfortunately,  not  all  problem  (or  failure) 
reporting  and  corrective  action  systems  feedback  problems  that  occur  because  of  inadequate  package  and 
handling  requirements.  Such  a  closed  loop  system  would  provide  a  mechanism  tor  rewriting  of  specifica¬ 
tions 


Storage  -  Like  transportation,  storage  activities  can  also  have  a  negative  impact  on  reliability.  This  is 
true  not  only  from  the  standpoint  of  environmental  conditions,  but  storage  time  as  well.  When  rocket  booster 
dependent  programs  experience  a  delay,  then  all  limited  life  items  become  factors  affecting  reliabiliiy 


Operation  -  The  atmg  Lime  for  booster  rockets  is  a  matter  of  a  few  hundred  seconds  with  the  pro¬ 
viso  that  some  ot  c,  'ket  engines  or  solid  booster  casings  are  reusable.  Achieved  reliability  is  measured 
classically  b;  usi  orating  data  and  applying  statistical  distributions  such  as  the  binomial.  As  with  the 
testing  activity,  when  .';.''  'res  occur,  the  devices  are  reexamined  and  corrective  action  is  initiated  followed 
by  retest.  Since  the  ,ctive  action  taken  obviously  is  intended  to  eliminate  failure  mechanisms  and 
thereby  improv  relia^.iity,  it  is  difficult,  it  not  impossible,  to  use  a  classical  approach  to  measure 
reliability  achieverne'^t  in  developmental  systems  with  high  reliability  goals  and  limited  operating 
histories. 


1  '  j  current  Infrastructure  Activities  Affecting  Reliability 

Although  there  are  some  specific  differences  between  prime  contractors  and  major  subcontractors,  in 
.'-^neral  ihe  controls  affecting  reliability  which  are  the  responsibility  of  the  reliability  discipline  are 
V:  ability  Predictions,  Failure  Modes  and  Effect  Analysis  (FMEAs)  and  Failure  Reporting  and  Corrective 
systems  (FRACAs),  The  quality  control  discipline  has  a  direct  impact  on  reliability  but  is  not 
crmally  a  part  of  the  reliability  discipline.  "Lessons  Learned"  is  often  a  semi-fcrmal  approach  to 
eliabiiity  improvement  and  when  used,  it  is  as  likely  to  be  found  in  the  design  group  as  the  reliability 

.roup. 


Calv  the  F-RACA  system  provides  a  closed  loop  means  of  correcting  problems.  In  their  present  form!, 
-  .  AS  are  not  structured  to  quantify  reliability  or  to  become  a  proactive  part  of  m,easured  (quan 'fiec 
,.;r;'!i*y  enhancement. 


PR.ACA'FRACA 


.'Vedictions,' 

'rade  Offs 

Figure  1 ,  Existing  Infrastructure  controls  intended  to  .johance  reliab'liiy 


;  .re  1  illustrates  the  six  infrastructure  activities  as  they  rel  ,te  to  reliability  activities  The  moit 
used  reliability  activities  are: 

•  FMEAs 

•  Reliability  Predictions/Trade-offs 
PRACA/FRACA  Systems 

t' Uiusurement  of  Achieved  Reliability 

-‘■er-Ai  are  and  how  they  are  used  is  described  in  the  following  section  under  "Retiabir'lv 
■..■cnriq  Analysis  ■  Reliability  Predictions/Trade-offs  are  aiso  discussed  in  the  same  oerd.ion  under 
.  adirg  of  “Quantitative  Reliability  Engineering  .Design  Tools'’along  with  othortools  that  a^e  available 
;  :'UMity  engineers.  Figure  2  contains  a  comprehensive  list  o!  roiiahiiity  Fools  anc  Fernniqu  ''^' 
A  f  raCA  Systems  are  discussed  in  detail  in  Section  i  f  3  2 


Measurement  of  Achieved  Reliability  due  to  its  complexity  is  treated  sepa'-ately  in  Section  2.2, 
“Historical  Data  Analysis  (Reliability  Growth)"  and  in  Appendix  A  3.  “Reliability  Analysis  of  Current 
US  Launch  Vehicles”. 

The  purpose  of  Figure  1  is  to  illustrate  the  limited  use  of  presently  available  reliability  engineering 
techniques  and  tools  as  well  as  the  limited  use  of  information  from  activities  such  as  transportation  and 
storage. 

It  is  clear,  based  on  the  information  gathered  to  date,  that  no  single  company  has  utilized  all  the  tools 
and  techniques  available  to  reliability  engineers  on  any  given  project  nor  has  the  information  from  trans¬ 
portation  and  storage  been  fully  utilized.  The  fact  that  all  the  resources  of  reliability  technology  have  not 
been  utilized  is  iM  a  result  of  negligence  on  the  part  of  manufacturers.  Often  they  may  not  be  provided  with 
specific  requirements  to  address  all  these  issues  by  their  government  customers  and  are  not  normally 
funded  to  conduct  these  types  of  analyses. 

A.ithough  not  directly  related  to  launch  vehicle  reliability,  a  recent  example  of  how  the  storage  activity 
can  affect  reliability  is  given  by  the  recently  launched  TDRSS  spacecraft.  After  the  Challenger  accident 
the  spacecraft  spent  an  extra  2  1/2  years  on  the  ground  Deterioration  was  suspected  in  the  bolt  cutter 
ordinance  and  for  this  reason  a  reliability  study  was  conducted  by  the  contractor.  The  study  resulted  in 
the  determination  that  the  bolt  cutters  required  replacement.  The  successful  launch  of  TDRSS  is  now  a 
matter  of  record.  Total  credit  for  this  success  cannot  be  taken  by  the  individuals  involved  in  this  reliability 
analysis,  but  a  significant  contribution  was  made  to  this  success  as  a  result  of  diligent  ordinance  and 
reliability  engineers  taking  the  initiative  and  going  beyond  typical  practice.  The  only  way  to  make  such 
protection  "routine"  is  to  expand  current  reliability  practice  so  as  to  create  an  infrastructure  such  as  the 
one  depicted  on  Figure  8  in  Section  2.3. 

Reliability  Engineering  Analysis  -  There  are  a  number  of  tasks  that  are  specifically  related  to  re¬ 
liability  as  shown  in  Figure  2.  It  is  not  the  purpose  of  this  leport  to  fully  describe  each  technique  and 
design  tool  but  to  highlight  those  most  commonly  used  in  the  rocket  industry.  The  two  most  commonly 
used  methods  for  reliability  analysis  are: 

•  Failure  Modes  and  Effects  Analysis  (FMEA)  or  Failure  Modes,  Effects  and  Criticality 

Analysis  (FMECA). 

•  Quantitatiye  Reliability  Engineering  Design  Tools  such  as  predictions  or  Trade-offs. 


Failure  Modes  and  Effects  Analysis  is  a  “bottom  up"  method  intended  to  identify,  classify  and  document 
failure  modes  and  their  effects  as  well  as  possible  corrective  actions  or  compensating  or  mitigating 
provisions. 

Ttie  purpose  of  an  FMEA  is  to: 

1.  Assist  in  selecting  design  alternatives  with  high  reliability  and  high  safety  potential  during  early 
design  phase. 

2.  Ensure  that  all  conceivable  failure  modes  and  their  effects  on  operational  success  of  the  system  have 
been  considered. 

3.  List  potential  failures  and  identify  the  magnitude  of  their  effects. 

4  Develop  early  criteria  for  test  planning  and  the  design  of  the  test  and  checkout  systems. 

5.  Provide  a  basis  for  quantitative  reliability  and  availability  analyses. 
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TECHNIQUES 

CJANTITATIVE  ANALYSIS 

■  FORMATS-Rc LIABILITY  GRAPHS 
RELIABILITY  BLOCK  DIAGRAMS, 
FAULT  TREE  DIAGRAMS,  MARKOV 
TRANSITION  DIAGRAMS.  DECISION 
FREES,  TRUTH  TABLES,  DIGRAPHS 

•  ANALYTICAL  METHODS-BOOLEAN 
ALGEBRA,  MARKOV  MATRIX 
ALGEBRA,  EVENT  SPACE  ANALYSIS, 
MINIMUM  CUT  SETS.  TIE  SETS, 
MONTE  CARLO  SIMULATION,  PATH 
FRACING,  DECOMPOSITION 


DESIGN  TOOLS 

1 .  COMPARATIVE  ANALYSIS 

•  ENGR.  TRADE  OFP  S 

•  SENSITIVITY 

•  OPTIMIZATION  STUDIES 

2.  ABSOLUTE  ANALYSIS 

•  APPORTIONMENT 

•  PREDICTION/MEASUREMENT  OF 
ACHIEVED  RELIABILITY 


ENGINEERING  DECISIONS 

1  RECOMMEND  DESIGN 
ALTERNATIVES 

2  MAINTANINABILITY 
RECOMMENDATIONS 

3  PREVENTIVE  MAINTENANCE 
PROGRAMS 

4  SPARE  PARTS  PROVISIONS 

5  RECOMMENDED  TEST 
INTERVALS 


QUALITATIVE  ANALYSIS 


"CRMATSFMEA'S,  CRITICAL 
TEMS  list,  FAULT  TREE  DIAGRAMS 


'  IAI>T|CA'  METHODS-FAILURE 
■•/lAl  YSIS,  ROOT  CAUSE.  COMMON 

-  j; ;  uAiTiCALirv  ranking 


Figure  2.  Reliability  engineering  tasks  typically  used  in  design 
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6.  Provide  historical  documentation  for  future  reference  to  and  in  analysis  of  field  failures  and 
consideration  of  design  changes. 

7.  Provide  input  data  for  tradeoff  studies. 

8.  Provide  a  basis  for  establishing  corrective  action  priorities. 

9.  Assist  in  the  objective  evaluation  of  design  requirements  related  to  redundancy,  failure  detectiori 
systems,  fail-safe  characteristics  and  automatic  and  manual  override. 

When  considering  reliability  analysis  of  a  design,  one  usually  thinks  of  all  the  analytical  steps  leading 
to  an  estimate  of  the  reliability  of  a  given  item.  A  complete  analysis  requires  comprehensive  input  data  that 
include  material  properties,  design  details  and  component  failure  rates;  however,  it  is  not  necessary  to  wait 
until  all  of  these  are  known  before  much  can  oe  determined  about  the  reliability  of  the  design. 

Pailure  Mode  Effects  and  Criticality  Analysis  (FMECA),  is  essentially  similar  to  a  Failure  Mode  and 
Effects  Analysis  but  in  this  case  the  criticality  of  the  failure  is  analyzed  in  greater  detail  (and  may  in  some 
instances  be  quantitatively  evaluated)  and  assurances  and  controls  are  described  for  limiting  the  likelihood 
of  such  failure.  The  four  fundamental  facets  of  such  an  approach  are  (1)  Failure  Identification;  (2) 
Potential  Effects  of  the  Failure;  (3)  Existing  or  Projected  Compensation  and/or  Control;  and  (4)  Summary 
of  Findings. 

The  most  hazardous  pitfall  is  the  potential  of  mistaking  form  for  substance.  If  the  project  becomes 
simply  a  matter  of  filling  out  the  FMEA  forms  instead  of  conducting  a  proper  analysis,  the  exercise  will  be 
ineffective.  For  this  reason,  it  might  be  better  for  the  analyst  not  to  restrict  himself  to  any  prepared 
formalism.  Another  point:  if  the  system  is  at  all  complex,  it  is  risky  for  a  single  analyst  to  imagine  that  he 
alone  can  conduct  a  correct  and  comprehensive  survey  of  all  system  failures  and  their  effects  on  the  system. 
When  applied  to  complicated  systems,  th  ise  techniques  call  for  a  well  coordinated  team  approach. 

Comparative  Analysis  and  Absolute  Analysis  are  »he  two  general  types  of  quantitative  reliability  en¬ 
gineering  design  tools. 

Comparative  Analysis  -  When  alternative  designs  for  achieving  given  (or  desired)  levels  of  reliability 
are  under  consideration,  characteristics  foi  .ch  design  are  expressed  quantitatively  as  a  means  of 
comparing  the  relative  reliability  of  each  design  alternative.  For  this  particular  type  of  analysis,  failure 
and  repair  data  need  not  be  exact  since  the  purpose  is  to  compare  alternatives  rather  than  to  obtain  estimates 
of  absolute  values. 

There  are  three  types  of  comparative  analysis  commonly  undertaken; 

•  Trade-offs 

•  Sensitivity  Studies 

•  Optimization  Studies 

Trade-offs,  among  various  design  alternatives,  are  conducted  so  that  the  alternatives  with  the  best 
Benefit  to  Cost  Ratio  may  be  selected.  The  Benefit/Cost  Ration  is  determined  by  incorporating  the  effects 
of  reliability  factors,  installation  and  operating  costs,  degraded  modes  of  operation,  etc.  T rade-offs  involve 
achieving  the  proper  balance  among  reliability,  performance,  and  cost. 
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Sensitivity  analysis  involves  the  variation  of  input  parameters  to  mathematical  models  in  order  to 
assess  the  relative  effect  of  component  characteristics  and  data  accuracy  on  a  given  system's  reliability 
results  are  used  to  identify  areas  where  improvement  in  design  will  have  the  greatest  potential  impact 

-MT  '"eliability . 

Optimization  studies  carry  the  concept  of  sensitivity  analysis  one  step  further  by  varying  the  input 
:  arameters  until  a  set  which  appears  best  from  a  reliability  perspective  within  the  system  constraints  is 

ootained. 

Absolute  Analysis  involves  the  use  of  numerical  results  of  an  analysis  in  an  absolute  sense  (Design  A 
•as  3  reliability  of  0  90").  It  results  in  a  “stand  alone"  number,  not  a  “relative  comparison”  type 


The  two  types  of  absolute  analysis  are: 

•  Apportionment 

*  Prediction 

•up ::t:onment  is  used  when  a  specific  level  of  reliability  is  prescnbeo  rer  ir-stance,  a  client  may 
-  scra-e  a  certain  percent  increase  in  the  reliability  of  an  existing  propulsion  system.  The  procedure 
simplified)  is: 

’  Apportion  the  reliability  of  the  system  to  each  subsystem  based  on  past  performance. 

2  Icientif  /  those  subsystems  which  have  the  least  desirable  reliability  performance.  Include  all  factors 
"hicn  affect  this  peiformance  such  as  random  failures,  common  cause  failures,  distribution  of  downtimes, 

;  nan  -eliability,  etc. 

3  Determine  what  corrective  measures  may  be  taken  to  increase  the  reliability  of  each  subsystem, 

prediciion  requires  utilizing  mathematical  models,  input  data,  and  probability  theory  for  predicting 
mi;  Dility  taking  design  actions  based  upon  the  predictions,  measuring  (or  gaining  new  knowledge)and 
.r  un  repredicting,  and  acting  again  or  remeasuring  continually  throughout  a  program  of  development  oi 


Peocding  and  Corrective  Action  Systems  -  “Failure  Reporting  and  Corrective  Action":  (FRACA)  as  well 
I-  'A'-.ijiem  Reporting  and  Corrective  Action”  (PRACA)  are  the  two  types  of  reporting  and  corrective 
'  systems  that  presently  exist  in  the  rocket  industry.  The  FRACA  system  is  required  by  the  Air  Force 
•  'h  -  PRACA  system  is  required  by  NASA.  Although  these  two  systems  may  differ  in  nni  nor  detail,  the  intent 
' ; .  immpr'ts  and  methods  used  by  manufacturers  to  carry  ihem  ou*  is  very  ‘■urriiar  The  ^oiiowinr: 
.  p  .  on:  e  typical  manufacturer 

Company  XY2  maintains  a  closed-loop  failure  reporting  and  corrective  action  system  to  ensure 
'uvestigation  of  the  cause  ot  failures  and  to  provide  appropriate  corrective  action  and  failure  recurrence 
ooMirci,  The  FRACAs  place  emphasis  on  analysis  of  failure  data  to  provide  early  detection  of  defects 
J  ic  sequent  investigation  and  corrective  action  attempts  to  find  and  correct  failure  causes  early  in  the  build 
•  vcif?  in  order  to  minimize  costs  associated  with  higher  level  failures. 
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FRACAS  incorporate  the  following  features 

1  Use  of  a  failure  report  form  which  provides  a  failure  description,  analysis  and  corrective  action,  as 
'.veil  as  basic  information  including-  hardware  name,  operational  level,  type  and  environment;  hardware 
identification  number;  date  of  failure;  name  of  responsible  unit  engineer  and  failure  reporting  engineer. 

2.  A  project  failure  reporting  procedure  or  RAM  program  plan  section  which  defines: 

-  The  level  at  which  failure  reporting  begins. 

-  The  types  of  ar’omalies  for  which  failure  reports  wiil  and  will  not  be  written. 

-  The  flow  of  hardware  and  paperwork  associated  with  failure  analysis. 

-  The  responsibilities  of  the  R&M  and  QA  organizations. 

3.  The  completed  failure  reports  incorporate  the  corrective  action  implemented  both  immediately  (e  g., 
pan  removed  and  replaced)  and  long  term  (e.g.,  engineering  order  to  implement  design  change). 

4  Every  failure  report  requires  a  close  out. 

5  The  program/project  maintains  a  current  list  of  all  failures  and  the  status  of  those  failures. 

Basic  terminology  used  in  FRACAs  is  as  tollows; 

1 .  TRG  -  lest  fiecord  Sheet  -  Running  log  of  spacecraft  area  test  events;  initiated  by  test  inspector. 

2.  SQUAWK  (Log)-  Narrative  which  records  spacecraft  or  space  propulsion  system  area  assembly  and 
test  problems:  initiated  by  test  inspector. 

3.  TDR  -  Jest  Discrepancy  Beport  -  Records  test  failures  at  various  levels  of  assembly  and  test;  initiated 
by  test  inspector. 

1.  TRF  -.Test  failure  B2pcrt  Records  the  problem  descriptions,  failure  analyses,  and  oOiieciive 
actions;  initiated  by  reliability  engineer. 

5.  PAR  -  Be  liability  ^alysis  Beport  -  Computerized  output  of  combined  information  from  TDR  andTFR. 

6.  FRB  -  failure  Beview  Board  -  Joint  meeting  of  Contractor/Customer  personnel  to  review  and 
closeout  failure. 

Sequence  of  Activities  -  A  typical  flow  of  failure  reporting  paperwork  and  the  associated  hardware  is 
shown  in  Figure  3. 

Although  FRACA/PRACA  systems  are  intended  to  be  a  “cradle  to  grave"  system,  manufacturers  tend  to 
emiphasize  manufacturing  (using  Q.C.  as  the  control  and  corrective  action  system)  and  test  (using  the 
process  of  Figure  3  as  a  corrective  action  system).  This  is  primarily  because  these  are  the  two  areas  over 
which  they  have  complete  control.  Feedback  from  the  customer  (except,  of  course,  for  catastrophic 
failures)  is  often  inconsistent. 


For  example,  if  a  failure  occurs  and  the  equipment  is  polled  for  repair,  the  paper  work  often  does 
not  state  why  ti^e  equipment  tailed.  In  the  case  of  *he  SSME,  a  recent  review  of  non-conference  reports 
(UCRs)  indicated  that  only  20%  were  included  in  the  NASA  PRACA  system  according  to  one  contractor.  80% 
were  excluded  oy  the  reporting  requirements.  These  requirements  are  intended  to  limit  the  reporting  to 
serious  problems  and  to  prevent  the  system  from  becoming  overwhelmed  by  problems  of  a  minor  nature. 
Such  a  system  serves  well  to  aid  in  serious  problem  tracking  and  close  out,  but  can  sometimes  eliminate 
the  detailed  background  information  required  for  definitive  problem  analysis  and  root  cause  determination. 
In  the  case  of  the  SSME,  such  investigations  required  use  of  the  UCRs  combined  with  the  contractor’s 
;,Rocketdy,ne)  -r,  house  problem  tracking  systems.  Thus,  the  prcblem  is  t'.vo-fcid:  not  nil  problems  are 
repcrted  and  those  that  are  reported  are  not  always  adequately  described. 

Comments  •  Failure  reponiny  ruost  effective  -when  viewed  an  engineering  activity  rather  than  as 
a  bookkeeping  function.  Opportunities  exist  for  failure  repotting  personnel  to  enhance  screening 
effectiveness,  identify  potential  trends,  and  to  minimize  costly  downstream  anomalies.  Increased 
computerization  of  FRACAs  allows  for  rapid  information  dissemination  and  less  time  spent  on  routine 
paperwork  tasks,  as  long  as  increased  use  of  computers  must  not  be  made  by  sacrificing  detailed  problem 
desciiptions 

The  FRACAs  begin  with  procurement  and  continue  through  receiving  inspection  manufacturing,  test, 
launch-site  activities  and  mission  operation.  Control  of  discrepancies  found  in  receiving  and  in-process 
inspection,  all  non-test  discrepancies  and  Material  Review  Board  (MRB)  activities  are  primarily  the 
responsibility  of  Quality  Assurance  and  are  described  in  the  Quality  Assurance  Program  Plan.  Reporting 
of  parts  and  materials  problems  (including  Alerts,  etc.)  is  the  responsibility  of  Parts,  Materials  and 
Processes  (PM&P)  personnel.  Test  discrepancy  control  is  primarily  the  responsibility  of  the  reliability 
organization,  in  the  course  of  performing  this  function,  a  reliability  engineer  may  encounter  conflicting 
priorities  within  the  project  in  assuring  that  proper  failure  analysis  and  corrective  action  occur  in 
response  to  test  discrepancies.  Examples  include; 

1.  Manufacturing  personnel  want  units  repaired  and  out  of  their  hands. 

2  System  Integration  personnel  want  units  back  into  stores  or  back  into  their  hands. 

3  The  unit  engineer  wants  a  test  discrepancy  to  be  due  to  a  manufacturing  defect  or  a  parts  problem, 
and  he  may  now,  due  to  the  passage  of  time,  be  assigned  to  a  new  project. 

4.  The  project  manager  doesn't  want  to  spend  any  more  money  on  the  situation 

5.  The  project  engineer  believes  whatever  the  unit  engineer  tells  him. 

6.  The  system  engineer  is  worrying  about  link  performance  or  something  of  the  sort. 

In  the  face  of  these  conflicts,  the  reliability  engineer’s  objectives  must  prevail.  The  Failure  Review 
Board  exists  to  help  assure  that  each  failure  is  properly  closed  out.  Satisfactory  closeout  of  a  failure  will 
occur  when: 

1 .  A  failed  unit  is  fixed  and  has  passed  the  test  which  it  failed 

2.  The  probability  of  the  problem  recurring  in  the  unit  is  negligibly  small. 

3.  The  problem  has  been  shown  not  to  exist  in  any  other  unit. 


15 


A  computer  system  is  often  used  to  record  and  track  test  discrepancies  from  the  time  of  occurrence 
through  Failure  Review  Board  closeout  and  beyond.  The  computerized  system  provides: 

1.  A  reporting  vehicle  for  alerting  Quality  Assurance,  Reliability,  Engineering,  Manufacturing,  Tost 
and  Program  Management  of  failures  and  need  for  action. 

2.  A  permanent  record  of  the  cause,  significance,  effect,  and  corrective  action  for  each  failure. 

3.  A  vehicle  for  requesting  remedial  action  of  the  procurement,  design,  manufacturing,  test  and  handling 
organizations. 

4.  A  retrieval  system  for  identifying  failure  trends,  providing  status  summaries  and  locating  historical 
failure  information. 

While  PRACAs/FRACAs  perform  well  in  the  failure  tracking  and  problem  close  out  system  mode  for 
which  they  were  ititended,  they  were  not  designed  to  be  reliablity  data  bases  even  though  they  may  contain 
information  considered  for  this  latter  purpose.  It  should  therefore  not  be  surprising  that  PR  AC  As  often  lack 
me  information  required  for  reliability  analysis  and  prediction.  The  reasons  for  this  vary  but  the  primary 
reason  is  as  follows.  PRACAs  are  intended  primarily  to  keep  reliability  management  and  program 
management  informed  that  serious  problems  have  been  identified  and  are  being  attended  to.  Including  minor 
problems  or  supplemental  information  which  is  not  critical  to  management  tracking  (such  as  the  part 
exposure  time  at  failure)  may  overload  management  and  therefore  this  information  is  screened  out  of  the 
system  by  the  reporting  requirements.  While  this  may  be  desired  from  a  problem  tracking  standpoint,  it 
eliminates  the  precursor  information  essential  to  a  reliability  data  base.  For  example,  the  SSME  PRACA 
system  only  includes  20%  of  the  UCR  information  which  would  be  required  for  a  reliability  data  base  and 
It  includes  almost  no  exposure  at  time  of  failure  information. 


1  2  Data  Base  (Historical) 

1  2.1  Data  Collection 

The  objective  of  this  subtask  was  to  collect  the  material  necessary  to  understand  the  present  state  of 
design,  the  current  manufacturing  techniques  and  the  operational  parameters  of  solid  and  liquid  propulsion 
rockets  Collection  methods  included  visits  to  NASA  and  Air  Force  sites  responsible  for  solid  and  liquid 
propulsion  rockets.  Collection  methods  also  included  visits  to  the  sites  of  rocket  manufacturers  and  users 
and  access  to  in-house  publications,  technical  and  public  libraries  for  text  books,  reports  and  articles  on 
■'ockets. 

Trip  reports  (see  Volume  li:  Appendix  B)  documented  the  names  of  contacts  made,  insights  gained 
' 'O'jqh  formal  or  informal  question  and  answer  sessions  with  these  contacts,  the  type  of  information 
coiiectec  (nard  copy  reports,  historical  data  sets  and  for  which  rockets  and  time  frames)  and  the  type  of 
process  viewed  during  facility  tours  (production,  maintenance,  design).  Information  gathering  focused  on 
the  retrieval  of  sets  of  historical  rocket  launch  and  test  performance  data,  textbook  discussions  of  the 
physical  attributes  of  solid  and  liquid  rockets  and  subtypes,  and  studies  conducted  to  evaluate  design  and 
performance  tolerances  of  individual  or  collective  rocket  performance  parameters.  The  output  of  this  task 
was  a  sef  of  rocket  characteristic  and  performance  data. 

12  2  Data  Organization 

The  data  gathered  from  the  site  visits  and  the  information  collection  process  described  above  was 
organized  to  facilitate  its  use.  For  hardcopy  material  and  site  trip  reports,  a  filing  system  was  constructed. 
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separating  solid  from  liquid  rocket  data,  then  categorizing  by  rocket  use  (booster,  strap-on,  Orbit  Adjust, 
Payload  Assist  Module),  followed  by  sorts  on  fuel  type  and  rocket  type.  The  Data  Summary  Sheets  that  follow 
were  constructed  tc  allow  at-a-glance  review  of  the  data  a^aliable  on  the  various  rocket  types  in  these 
rocket  use  and  fuel  typo  categories.  Historical  data  on  rocket  tesPlaunch  were  organized  by  entering  it  into 
a  computerized  data  base  system,  DBase  lii-r,  when  the  data  was  available,  to  allow  data  to  be  more  easily 
stored  and  sorted. 

12  3  Representative  Design  Parameter  Development 

Using  the  information  gathered  and  organized,  a  candidate  design  configuration  v/as  selected  for  solid  and 
liquid  rockets  as  a  baseline  case  This  baseline  was  used  tc  establish  d  structure  of  rocket  mission  and 
performance  characteristics  which  also  define  a  structure  for  data  entry  and  storage.  The  rocket  mission 
data  vector,  or  the  column  headings  for  a  data  table,  reflects  data  categories  from  historical  performance 
sets,  such  as  data  of  tesf/launch,  success  or  failure,  rocket  designation  (name,  pioduction  lot),  and  type 
of  mission  (R&D,  space  Mission).  Rocket  performance  vector  entries  were  determined  by  the  technical 
literature  search  and  site  visit  discussions  citing  rocket  attributes  such  a  fuel,  oxidizer,  thrust  and 
diameter  The  baseline  structure  which  these  vectors  constitute  w.as  expanued  and  defined  further  as  more 
insight  was  gained  into  the  characteristics  which  drive  rock;?t  reliability. 

Following  the  Data  Summary  Sheets  i*;  a  matrix  containing  the  reliabiliiy  of  U.S.  launch  vehicle 
failures,  tabulated  in  Table  1  and  la-lf.  The  details  of  how  this  matrix  was  generated  are  contained  in 
Appendix  A  3. 


1.3  Deficiencies  of  Current  Aerospace  Reliability  Practice  In  Application  to  Current  Advanced  Launch 
System  Needs 

Current  Aerospace  Reliability  practice  has  not  been  able  to  affect  the  high  reliabilities  specified  for  Air 
Force  advanced  launch  systems.  Current  practice,  as  it  seems  from  the  investigations  undertaken  as  part 
of  this  effort,  is  relevant  toward  the  production  of  launch  vehicle  systems  whose  range  of  achieved 
reliability  is  upper  bounded  at  95%,  and  these  levels  have  been  achieved  only  after  significant  development 
programs  over  which  significantly  lower  reliabilities  were  the  norm  (80%  -  90%).  Many  of  the 
deficiencies  in  current  practice  are  a  product  of  the  developmental  history  of  aerospace  reliability 
technology  and  its  resulting  evolution  rather  than  direct  misapplications  of  reliability  techniques.  It  has 
taken  almost  30  years  for  a  systematic  reliability  discipline  to  be  developed  since  its  early  beginnings  in 
the  Titan  and  Apollo  programs.  At  the  time  of  its  creation,  the  US  and  world  industrial  base  was  quite 
different.  Failures  of  small  electronic  components  because  of  their  use  in  great  numbers  in  complex 
aerospace  designs  had  a  tendency  to  defeat  the  best  efforts  of  system  designers  and  render  embarrassingly 
useless,  expensively  developed  systems.  In  the  case  of  early  launch  vehicles,  national  prestige  and 
credibility  of  ICBM  deference  required  that  these  problems  be  eliminated  quickly.  The  electronic  systems 
were  the  roots  of  aerospace  reliability,  especially  in  the  era  when  quantitative  information  was  completely 
unavailable  (if  not  unheard  of). This  tended  to  influence  reliability  technology  development  toward  the 
generation  of  techniques  which  could  help  quickly  to  improve  the  performance  of  systems  without 
undertaking  the  long  term  development  of  more  reliable  individual  devices.  Papers  which  touted  the 
development  of  reliable  systems  from  less  reliable  devices,  the  initiation  of  qualitative  investigatory 
techniques  such  as  FMEAs,  and  the  use  of  redundancy  to  shore  up  the  areas  of  weakness  graduated  from  the 
academic  classroom  of  the  50’s  and  early  60's  to  become  the  inuuslria!  practice  of  the  late  60’s  and  eariy 
70's.  Finally,  they  became  institutionalized  in  the  late  70's  and  1980's. 

While  exposure  of  component  functional  failure  effects  through  FMEAs  and  their  elimination  through 
redundancy  works,  and  works  well  for  electronic  systems  where  weight  and  operational  constraints  are 
minimized  and  the  effect  of  a  single  failure  is  to  some  degree  localizpd.  fhp  usefulness  of  this  approach  has 
always  been  limited  in  propulsion  systems.  In  fact,  the  use  of  this  currently  institutionalized  qualitative 
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1 
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1 
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1 
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1 

1 

|U9. 0/12.0 
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1 

1 30, 8/ 3. 24 

!  »  t  !,  (  <  t  ) 

1 

I 

1 

1 
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1 

18 
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1 
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1 
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20 
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DATA  SUMMARY  SHEET 


PAGE  6 


NUM 

FNGINE  or  MOTOR 

NAME 

MOTOR  26 

Ihiokol  rE-M-36A2 

MOTOR  77 

Ihiokol  IE  H  447  1 

Motor  28 

Thiokol  TE-M-360  U 

User  Agency 

|USAF 

jUSAF 

jUSAF 

1 

1 

2 

Honufacturer 

I 

1 Th i okol 

( 

I Thiokcl 

J 

I  Th iokol 

I 

1 

1 

1 

3 

DCS  1  gnat i on 

j 

jSurncr  2,  2A 

I 

[Burner  2A 

1 

1$65 

1 

! 

1 

1 

(stage  or  motor) 

1 

1 

1 

1 

1 

U 

Engine  or  Motor 

1 

1 

1 

1 

1 

weight  (lb) 

1 

1 

1 

1 

1 

5 

Propel (ant  weight 

1 

1 

1 

1 

1 

(lb) 

1 

1 

1 

1 

1 

6 

Stage  number 

|upstage  (varies) 

1  upstage  2 

{upstage  2 

1 

1 

1 

? 

Ox  idi zer/Fuel 

1 

|sol  id 

1 

1  sot  Id 

1  sol  id 

1 

1 

1 

1 

1 

1 

8 

\ 

Mixture  ratio  (O/F)  | 

1 

1 

1 

1 

1 

1 

9 

Coolant 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

10 

lcngth/0 i ameter 

1 

15.0/5.2 

1 

15.8/5.2 

1 

|10.0/4.5 

I 

1 

1 

1 

(ft)/(ft) 

1 

1 

1 

1 

1 

1 

Throstlsea  lev)  (lb)] 

1 

1 

1 

1 

*  -  Ih.scc 

1 

1 

1 

1 

1 

1? 

Thrust  (vacuum) 

110.000 

18.000 

17.375 

1 

1 

(lb) 

1 

1 

1 

1 

1 

15 

Chamber  pressure 

( 

1 

1 

1 

1 

( PS  i  a ) 

1 

1 

1 

1 

1 

u 

Spec  impuls 

1 

1 

1 

1 

1 

(sea  level ) 

1 

1 

1 

1 

1 

15 

Spec,  irrtpuls 

1 

1 

1 

1 

1 

(vacuum)  (see) 

1 

1 

1 

1 

1 

16 

Total  burn  time 

1 

1 

1 

1 

1 

(sec) 

1 

1 

1 

1 

1 

17 

Nozzle  expansion 

1 

1 

1 

1 

1 

rat  io 

1 

1 

1 

1 

1 

18 

Nozz 1 e  ex i t  area 

1 

1 

1 

1 

1 

(fr«(t) 

1 

1 

1 

1 

1 

19 

E rig  me  cant  angle 

1 

1 

1 

1 

1 

(deg) 

1 

1 

1 

1 

1 

20 

Case  material 

1 

1 

i 

1 

1 

71 

1 

Case  segment  number  | 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

ZZ 

fhrust  vector 

1 

1 

1 

1 

1 

1 

! 

1 

1 

control  (T.V.C) 

1 

1 

1 

1 

1 

Zl 

Thrust  Coeffieent 

Cf| 

1 

1 

1 

1 

zi. 

No; 1 0  discharge 

1 

1 

I 

i 

1 

1 

1 

1 

1 

1 

coof f i cent  Cd  g 

1 

1 

1 

1 

1 

75 

Engine  cycle 

1 

1 

1 

1 

( 

1 

1 

1 

1 

26 

1 

Mass  Discharge  Rate  | 

1 

1 

1 

1 

1 

1 

1 

( t  b/sec ) 

1 

1 

1 

1 

1 

77 

Eng ine  cost 

1 

1 

1 

1 

1 

1 

1 

1 

78 

Engine  Rel iabi 1 i ty 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

! 

1 

1 

79 

Vehicle  Meme 

1 

iBurner  2,  2A 

1 

1  Burner  2A 

1 

[Stage  Vehicle  sys 

1 

1 

1 

1 

1 

23 


04/19/MV  IMTA  SUMJ-IAKY  SHEET  pace  1 


MUM 

eNGIMg  or  MOIOR 

NAME 

ENGINE  ) 

Aerojet  LR-87A0- U 

ENGINE  2 

Aerojet  LR-91 ■ AJ- 1 1 

ENGINE  3 

Aerojet  AJiO' 138 

ENGINE  4 

Aerojet  LR-87*AJ-5 

ENGINE  S 

Aerojet  LR *91 ■ AJ -5 

Uspr  Agency 

jUSAF,  Commercial 

jUSAF,  CoHmorcinl 

jUSAF 

|USAf 

jUSAF 

1 

2 

Manufacturer 

1 

j Aero  jet 

1 

|Aorojoi 

1 

lAcrojCt 

1 

{Aerojet 

1 

1 

[Aerojet 

1 

5 

Oc*^  1  gn  it  1  on 

1 

( 

1 

( 

I 

1  fr  aim f. age 

1 

1 

(Stage  or  motor) 

1 

1 

1 

1 

1 

4 

Engine  or  Motor 

1 

1 

1 

1 

1 

weight  ( lb) 

1 

1 

1 

1 

1 

5 

Prope 1 1  ant  weight 

1 294,000 

169,000 

|9,000 

1 

1 

(lb) 

1 

1 

1 

1 

1 

6 

Stage  nuiubcr 

1  1 

|2 

|3 

[1 

1 

1 

0^  1  h  1  /'  r  /  1  iml 

i 

iN^ar./M^K-'.-UOMM 

1 

[N.'’04/N?M4  -UDMH 

1 

|W204/N2H4*UOMH 

} 

1N204/N2H4-UDMH 

1 

1N2O4/N2H4-U0MH 

( 

8 

Mixture  rat io  (0/f ) 

1 

1 

1 

1 

1 

1 

1 

1 

1 

9 

Cool  ant 

1 

1 

1 

1 

1 

1 

! 

1 

1 

1 

10 

Length/O  i  anictor 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

n 

ThrusMsca  lev)  (lb) 

1264,500  /  273,000 

1 

1 

1215,000 

1 

*  =  lb.  see 

1 

1 

I 

1 

1 

12 

Thrust  (vacuum) 

1 

1101,000  /  104,000 

|8.000 

1 

1 100,000 

<lb) 

1 

1 

1 

1 

1 

13 

r.hnitibcr  pressure 

1 

1 

1 

1 

1 

(psia) 

1 

1 

1 

1 

1 

u 

Spoc  impulo 

1 

1 

( 

1 

1 

(sea  level ) 

1 

( 

1 

1 

1 

15 

Spec.  imjTjls 

I 

1 

1 

1 

1 

< vacuum)  ( see ) 

1 

1 

1 

1 

1 

16 

roCa(  burn  fime 

1 

1 

1 

1 

1 

(sec) 

1 

1 

1 

1 

1 

w 

Moz^lt  expansion 

1 

1 

1 

1 

1 

rati  0 

1 

1 

1 

1 

1 

18 

Mozi l c  exit  area 

1 

1 

1 

1 

1 

(ftxft) 

1 

1 

1 

1 

1 

19 

Engine  cant  <angle 

1 

1 

1 

1 

1 

(deg) 

1 

1 

1 

1 

1 

20 

Case  material 

1 

1 

1 

1 

1 

1 

21 

Ca^o  sogment  nenber 

1 

1 

1 

! 

I 

1 

1 

1 

1 

i 

1 

1 

1 

22 

Thrust  vector 

} 

1 

1 

1 

1 

1 

1 

control  cr.V.C) 

1 

1 

1 

1 

1 

25 

Thrust  Coeffieent  Cf 

1 

1 

1 

1 

1 

1 

24 

Mozzle  discharge 

1 

1 

1 

1 

1 

1 

1 

1 

I 

1 

coof f icent  Cd  g 

1 

1 

1 

1 

1 

25 

Engine  cycle 

1 

1 

1 

1 

1 

1 

1 

1 

26 

Mass  Discharge  Rate 

1 

1 

f 

1 

1 

1 

1 

1 

1 

f ' b/sec) 

1 

1 

1 

1 

1 

27 

Engir.rv  cost 

1 

1 

1 

1 

( 

j 

28 

Engine  Po 1 i ob  1 1 i t y 

1 

1 

1 

j 0.9800 

1 

1 

1 

1 

1 

1 

29 

ych  1  '•  1  0  Mamc 

1 

(rftan  340,  3,  4CCr, 
[4IUS 

1 

(Jit.in  340.  3,  iccr, 
|4IUS 

1 

1  T i tan  340 

1 

1 

{Titan  2  SLV 

1 

|Tilon  2  SLV 

1 

24 


0''./ 19/09 


DATA  SUHMAKY  SUKKT 


PAGE  2 


NUM 

ENGINE  or  MOTOR 

NAME 

ENGINE  6 

Rocket.  YLR-89-NA/ 

ENGINE  7 

Rocket.  ttR105-MA7 

ENGINE  8 

P&U  RL10A-3-5A 

ENGINE  9 

Rocket.  RS-27 

ENGINE  10 

TRW  TR201 

1 

User  Agency 

|NASA 

[NASA 

[NASA 

[NASA.  USAF 

[NASA 

2 

Manufacturer 

1 

jRocketdyne 

1 

1 

[Rocketdyne 

I 

jp&u 

1 

[Rocketdyne 

1 

[TRW 

3 

Dcs i gnat i on 

1 

|HA-5 

1 

1 

I 

[Centaur 

1 

[ELT  Thor 

1 

jOcl ta 

(stage  or  motor) 

1 

1 

I 

1 

1 

4 

Engine  or  Motor 

1 

1 

I 

1 

1 

weight  (lb) 

1 

1 

I 

1 

1 

5 

rropellani  weight 

1 11 1,506 

177,835 

114,867 

1 175,000 

1 10,000 

(lb) 

1 

1 

1 

1 

1 

6 

Sta<}e  ni/mber 

(1/2 

[  1 

i: 

1  1 

13 

Ox  id) Jer/fynl 

1 

tlOX/RP'  1 

1 

jlUK/RP  1 

1 

|L0X/LH2 

1 

|LOX/RP  1 

1 

[N202/N;H4  I'DMH 

3 

Mixture  ratio  (0/f; 

|2.25 

[2.22 

1 

|5.0 

13.33 

1 

[1.6 

9 

Coolant 

1 

1 

1 

[ 

1 

1 

1 

1 

[ 

1 

10 

Length/Oiometer 

1 

1 

1 

1 

[ 

1 

[ 

1 

1 

1 

1 

1 

1 

1 

1 

1 1 

Thrust(sea  lev)  (lb)(1S8,750 

160,500 

1 

1305,000 

1 

*  =  lb, sec 

1 

1 

1 

1 

1 

13 

Thrust  (vacuum) 

1 

1 

116,500 

1339,600 

19,530 

(lb) 

1 

1 

1 

1 

1 

13 

Chamber  pressure 

)650 

|733 

[474 

1650 

poo 

(psia) 

1 

1 

1 

) 

1 

u 

Spec  impuls 

|359 

1330 

1 

1361 

1 

(sea  level) 

1 

1 

t 

1 

1 

15 

Spec,  impuls 

1393 

1313 

|446.4 

1294 

1303 

(vacuum)  (see) 

1 

1 

i 

1 

1 

16 

Total  burn  time 

|153 

1385 

1404 

|337 

|518 

(sec) 

I 

i 

1 

1 

1 

17 

Nozz I e  expans i on 

|25 

|61 

IB 

146 

ratio 

I 

1 

1 

1 

1 

18 

No^z 1 e  ex  it  at  ea 

1 11. 34 

111.56 

|8.33 

113.0 

p7.4 

{  f txf t ) 

1 

1 

1 

1 

1 

19 

Engine  cant  angle 

|0 

|0 

|0 

|0 

1° 

(deg) 

1 

1 

1 

1 

1 

30 

Case  material 

1 

1 

1 

1 

1 

2^ 

C'ise  segment  number 

1 

1 

1 

1 

1 

1 

[ 

1 

[ 

1 

33 

Thrust  vector 

1 

(Gimbal led  Engines 

1 

[Gimbal led  Engines 

1 

[Gimballed  Engines 

I 

[Gimbal led  Engine 

1 

[Gimbal led  Engine 

control  (T.V.C) 

I  and  Verniers 

[  and  Verniers 

1 

1 

1 

33 

Thrust  Coeffieent  Cf|1.44 

[1.24 

|1.79 

[1.46 

[1.75 

34 

Nozzle  discharge 

1 

|5.54e-3 

I 

|5.64e-5 

1 

|4.01c-3 

1 

|5.59e-3 

1 

[5.78e  3 

coeffieent  Cd  g 

1 

1 

1 

1 

1 

35 

Engine  cycle 

1 

1 

1 

1 

1 

36 

Mass  Discharge  Rate 

1 

[728.8 

! 

[275.0 

1 

[37.0 

[ 

[785.4 

1 

[31.45 

( Ib/sec) 

1 

1 

1 

1 

1 

37 

Engine  cost 

1 

1 

1 

1 

1 

38 

Engine  Pel i abi 1 i ty 

1 

[0.9907 

1 

[0.9905 

1 

[0.9854 

1 

[0.9833 

[ 

[0.9774 

30 

Vehicle  Name 

1 

[Atlas  G  Centaur 

1 

[Atlas  G,  Centaur 

1 

[Atlas  C, Centaur  D* 

1 

1A[Delta39U/3924/6920/ 

1 

[Delta  3914/5924 

1  0  U/Atins  H 

1  D-1A/Allns  H 

1  /o  n,  Titnn  4CCP 

|6925,3910/3930/rAM  n 

1  59in7593n/PAM  0 

25 


Oi.,'  19/89 


DATA  SUMMARY  SHEET 


PAGE  3 


NUM  ENGINE  or  MOTOR 

ENGINE  11 

ENGINE  1? 

ENGINE  13 

ENGINE  U 

engine  15 

NAME 

Aerojet  AJ 10- 1 ISk 

Rocket .  RS-51 

PSU  SL10A-3-3B 

Rocket.  LR-89_NA5 

Rocket.  LR 

1 

tJ'.or  A'jpncy 

|NASA,USAF 

1 

(Varies 

(USAE 

[USAF 

(USAF 

2 

M.inuf  ac  turer 

1 

(Aerojet 

1 

(Rocketdyne 

1 

|P&U 

1 

1 

(Rocketdyne 

1 

jRocketdyne 

5 

Dos  i  qro.Tt  on 

(Stage  or  motor) 

1 

(Del t  a 

1 

(AMS 

1 

(Centaur 

1 

1 

(MA-3 

j 

1 

|MA-3 

1 

s 

Engine  or  Motor 
weight  (lb) 

Prepo 1 1 nnt  weight 
( lb) 

1 

1 

1 13,700 

1 

[2.790 

1 

1 

1 

1 

1 

1 

1 

1 

I 

1 

1 

1 

1 

6 

Stage  number 

|7 

1 

(upstage 

1  upstage 

|l/2 

1 

ii 

7 

Ck  i d 1 2or / Fuc 1 

I 

(M?02/N2HA-UDHH 

1 

[N204/MMH 

I 

1LOX/LH2 

t 

1 

ILOX/RP- 1 

1 

|LOX/RP-  1 

8 

Mixture  ratio  (0/F) 

i  1  -9 

1 

1 

1 

1 

1 

1 

9 

Cool  ant 

1 

1 

1 

1 

1 

1 

1 

1 

10 

Lengih/Oir.meter 
( f  r )  /  ( f  t ) 

! 

i 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 1 

Ihrust(srn  lev)  (lb)] 

*  =  lb. sec  I 

1 

1 

1 165,000 

1 

(60,000 

[ 

1? 

Thrust  ^vacuum) 

( Ih) 

|9,710 

(2,650 

1 15,000 

1 

1 

1 

1 

1 

1 

15 

Chart'tjnr  pressure 
( ps 1  a  ) 

|1U 

1 

1 

1 

t 

1 

1 

1 

J 

K 

Spoc  UtTDulS 

(sea  (e/el ) 

1 

1 

f 

1 

j 

1 

1 

1 

15 

Spec,  impuls 
(vacuum)  (see) 

1 370. 7 

1 

1 

1 

1 

1 

1 

I 

1 

16 

Total  burn  time 

(sor) 

|43532 

1 

1 

1 

i 

1 

1 

1 

1 

17 

18 

Not  2 1 fe  expans i on 
ratio 

no2 2 1 e  exit  area 

( ftxf  t  ) 

|65.2 

|19.9 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

19 

Engine  cant  angle 
(deg) 

|0 

1 

1 

1 

1 

1 

1 

1 

70 

Case  material 

1 

1 

1 

1 

7! 

e.r-e  Segment  number 

1 

1 

1 

1 

1 

1 

77 

Ihru'.t  vector 

r  '-nr  r  ol  <  T  .  V.C) 

j 0 1 mba 1 1 pd  Engine 

1 

1 

1 

1 

1 

1 

1 

1 

1 

7! 

Thrust  Coef f ieent  Cf 

|1.93 

1 

1 

1 

1 

74 

Nozzle  discharge 
coef  f icent  Cd  g 

16.036-3 

1 

1 

1 

1 

1 

1 

1 

1 

1 

75 

Engine  cycle 

1 

1 

I 

1 

76 

Mass  Discharge  Rate 

( 1 b/sec ) 

130.32 

1 

1 

1 

1 

1 

1 

1 

1 

1 

77 

Engine  COSt 

1 

1 

1 

1 

1 

78 

Engine  Reliability 

10.9774 

1 

1 

1 

1 

1 

1 

79 

Vehicle  Marne 

|0el ta3914/3924/7920/ 
|7975,3910/3970/PAM-0 

(Stage 

1 

|STS/Centaur  9 

1 

1 

|Atlas  E 

1 

1 

|AMas  E 

1 

26 
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DATA  SUMMARY  SHEET 


PACE  4 


NIJM 

ENGINE  or  MOfOR 

NAME 

ENGINE  16 

Bed  8096 

ENGINE 

AGC  Trnstge 

User  Agency 

|USAF,  NASA 

(NASA 

1 

j 

1 

1 

1 

1 

2 

Manufacturer 

1 

iBetl 

1 

[AGC 

1 

1 

1 

1 

1 

3 

Oes i gnat i on 

1 

|YLR-81BA-n 

1 

[Delta 

1 

1 

1 

1 

1 

1 

(stage  or  riMator) 

1 

1 

1 

1 

1 

Engjne  or  Motor 

1 

1 

1 

1 

1 

weight  (lb) 

1 

1 

1 

1 

s 

Propel lant  weight 

1 

1 

1 

1 

1 

(tb) 

1 

1 

1 

1 

1 

6 

Stage  number 

(upstage  (varies) 

(2 

{ 

[ 

1 

1 

1 

1 

1 

7 

Ox  i d i zer / Fuel 

1 

1 IRFNA/UOMH 

1 

IN202/A-50 

1 

1 

1 

1 

1 

1 

s 

1 

Mixture  ratio  (0/F)  | 

1 

1 

1 

I 

1 

1 

1 

1 

9 

Coolant 

1 

1 

1 

1 

1 

1 

I 

1 

I 

1 

1 

10 

L  enqth/D i ometer 

I 

1 

1 

1 

1 

1 

1 

(ft)/(ft) 

1 

1 

1 

1 

1 

1 

Thrust ( sea  lev)  < lb) | 

1 

1 

1 

1 

•  =  tb.sec 

1 

1 

1 

1 

1 

ij 

Thrust  (vacuum) 

|16,000 

1 10.000 

1 

1 

1 

(lb) 

1 

1 

1 

1 

1 

13 

Chamber  pressure 

1 

1 

) 

1 

1 

(psio) 

1 

1 

1 

1 

1 

U 

Spec  iu'puls 

1 

1 

1 

1 

1 

(sea  level) 

1 

1 

1 

1 

1 

15 

Spec,  impuls 

1 

1 

1 

1 

1 

(vacuum)  (see) 

1 

1 

1 

1 

1 

16 

Total  burn  time 

1 

1 

1 

1 

1 

(sec) 

1 

1 

1 

1 

1 

1? 

Nozzle  expansion 

1 

i 

1 

1 

1 

» at  to 

1 

1 

1 

1 

1 

18 

Nozzle  exi t  area 

1 

1 

1 

1 

1 

( frxf  t ) 

1 

1 

1 

1 

1 

19 

Engine  cant  angle 

1 

1 

1 

1 

1 

(deg) 

1 

1 

1 

1 

1 

?0 

race  material 

1 

1 

1 

1 

1 

I 

1 

1 

21 

1 

Cose  segment  number  | 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

22 

Thrust  vector 

1 

1 

1 

1 

1 

1 

1 

control  (T.V.C) 

1 

1 

1 

1 

1 

23 

Thrust  Coeffieent 

Cf  I 

1 

1 

j 

1 

1 

1 

1 

24 

Mo//le  discharge 

1 

1 

1 

1 

1 

1 

1 

coeffieent  Cd  g 

1 

1 

1 

1 

1 

25 

Engine  cycle 

1 

\ 

1 

1 

1 

1 

1 

1 

1 

1 

26 

1 

Mass  Discharge  Rate  | 

1 

1 

1 

1 

1 

( (b/sec ) 

1 

1 

1 

1 

1 

27 

Engine  cost 

1 

1 

1 
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TABLE  1 :  RELIABILITY  COMPARISON  OF  U.S.  LAUNCH  VEHICLE  FAMILIES 


SYSTEM  I  STAGE  NO. 


TABLE  1A:  RELIABILITY  OF  TOE  TOOR/DELTA  FAMILY 


Thor  /  Delta 

Vehicis  Name 

Data  Collection 

Thor 

Delta 

Combine 

Period 

57-83 

60-87 

57-87 

Success 

Ratio;  Mean 

5% 

0.8982 

0.8750 

0.9402 

0.9110 

0.9192 

0.8789 

9S\ 

0.9181 

0.9615 

0.9551 

stage  0 

0.9965 

0.9950 

Stage  1/2 

6 

Z 

Stage  1 

0.9346 

0.9850 

u 

J 

< 

Stage  2 

0.9764 

0.9746 

» 

Stage  3 

0.9877 

0.9843 

Stage  4 

Propulsion 

0.9568 

0.9701 

Guidance 

0.9830 

0.9950 

E 

u 

night  Control 

0.9907 

0.9851 

0 

Structure 

0.9969 

f) 

Electrical 

0.9815 

0.9950 

Separation 

09969 

0.9950 

Other  or  (UK) 

0.9923 

SYSTEM  I  STAGE  NO. 


TABLE  IB:  REUABIUTY  OF  THE  TITAN  FAMILY 


Vehicle  Name 
Data  Collection 
Period 


Succat* 
Ratio:  Mean 
5% 
9S% 


Stage  0 


Stage  1/2 


SUga  1 


SUga  2 


Stage  3 


Stage  4 


Propulalon 


Guidance 


Right  Control 


Structure 


Electrical 


Separation 


Other  or  (UK) 


Titan 


Titan  1 

Titan  11 

Titan  III 

Titan  34D 

Combine 

59-65 

62-76 

64-87 

82-87 

59-87 

0.6427 

0.8364 

0.9406 

0.7355 

0.8013 

0.5585 

0.8323 

09055 

0.4978 

0.6075 

0  7202 

0.9272 

0.9651 

0.8990 

0.9546 

0.8214 

0.9574 

0.7825 

0.9258 
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SYSTEM  I  STAGE  NO. 


TABLE  1C:  RELIABILITY  OF  THE  ATLAS  FAMILY 


Vehicl*  Name 

Data  Collection 

Period 

Atli 

ss 

Atlas  A 

57-58 

Atlas  B 

58-59 

Adas  C 

58-59 

Adas  D 

59-67 

Atlas  E 

60-88 

Adas  F 

61-81 

H 

Adas  G 

84-87 

Atlas  H 

83-67 

Adas/ 

Centaur 

62-87 

Combine 

57-88 

Succaas 

Ratio:  Maan 

04219 

0.5558 

0.5833 

0.8401 

0  7426 

0.8883 

0.9445 

no  failure 

no  failure 

0.9069 

0.7883 

5% 

0.1827 

0.3010 

0.2642 

0.8015 

0.6454 

0.8359 

0.8736 

0  6313 

0.6313 

0.8450 

0.4761 

95% 

0.6977 

0.7896 

08585 

0.8734 

08240 

0.9276 

0.9652 

0.9489 

0.9953 

Staga  0 

Staga  t/3 

0.8713 

0.9573 

0.9861 

0.9814 

d 

z 

Staga  1 

0.8523 

0.9279 

0.9719 

0.9810 

(9 

< 

Staga  2 

i 

0.9856 

0  9420 

(0 

Staga  3 

Staga  4 

Propulsion 

08844 

0.6667 

0.8713 

0.9212 

0.9824 

0.9535 

Guldanca 

0.9571 

0.9869 

3 

tu 

Flight  Control 

0.7688 

0.8889 

0.9428 

0.9869 

0.9824 

0.9907 

H* 

(0 

> 

Structura 

07688 

09857 

0.9814 

Elactrical 

0.9857 

0.9824 

0.9907 

Saparation 

1 

0.9824 

0.9907 

Othar  or  (UK) 

0.9934 
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SYSTEM  I  STAGE  NO. 


TABLE  1D:  REUABILITY  OF  THE  SATURN  FAMILY 


Saturn 

1  "Family" 

Data  Collection 

Jupiter 

Juno 

Saturn  1 

Saturn  IB 

Saturn  V 

Combine 

Period 

58-58 

58-61 

62-65 

66-75 

67-73 

58-75 

Success 

0.3611 

0.4300 

no  failure 

no  failure 

0.9822 

0.7547 

5% 

0  1026 

0.2135 

!  0  7943 

0.7743 

0.8180 

0.2652 

95% 

0.6879 

0.6743 

0.9997 

0  9935 

stage  0 

Stage  1/3 

6 

z 

Stage  1 

0.8575 

3 

< 

Staga  2 

0.5741 

0.7009 

09822 

1 

n 

Stage  3 

0.V629 

0.9822 

Stage  4 

0  6290 

0.9378 

Propulalon 

0  7870 

Guidance 

j 

I 

iJ 

Flight  Control 

i 

n 

K 

Structure 

j 

n 

Electrical 

Separation 

0.5741 

Other  or  (UK) 
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SYSTEM  STAGE  NO. 


TABLE  1E:  REUABIUTY  OF  THE  SCOUT  FAMILY 


Scout  “Family" 

Vehicle  Name 

Data  Collection 
Period 

Vanguard 

Scout 

Combine 

57-59 

GO-BB 

57-88 

Success 

Ratio;  Mean 

0.3388 

0.9420 

0.6404 

5% 

0.1555 

0.9023 

0.1821 

95% 

0.5723 

0  9683 

0  9744 

Stags  0 

Stage  1/2 

3 

B 

Stage  1 

0.8347 

0.9917 

U 

9 

i 

Stage  2 

0.5049 

0.9875 

0 

Stage  3 

0.8039 

0.9746 

Stage  4 

0.9870 

Propulsion 

0.7521 

0.9793 

Guidance 

0.9174 

0.9917 

1 

Li 

Right  Control 

0.8347 

0.9917 

f) 

Structure 

9 

Electrical 

0.9876 

Separation 

0.9959 

Other  or  (UK) 

0.8347 

0.9959 
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TABLE  1F:  REUABIUTY  OF  THE  SPACE  SHUTTLE 


Vehicla  Name 
Data  Collection 
Period 


system  of  reliability  techniques  can  lead  designers  and  decision  makers  to  make  incorrect  decisions  e\/en 
if  correctly  applied  as  is  demonstrated  below.  Finally,  it  appears  that  the  currently  institutionalized 
reliability  technology  base,  because  of  its  qualitative  nature,  will  be  unable  to  address  just  the  residual 
reliability  related  issues  such  as  residual  variability  reduction,  risk  management  and  human  reliability 
that  limit  launch  systems  to  their  current  operational  reliability  levels. 

Here  are  some  examples  why.  The  examples  fall  into  two  broad  categories:  either  they  are  the  result  of 
performing  FMEAs/FMECAs  or  quantitative  reliability  analysis. 

1.3.1  FMEAs/FMECAs 

FMEAs/FMECAs  are  structured  to  detect  single  point  failures.  When  single  point  failures  are  identified 
they  are  either  controlled  or  compensated  for  by  use  of  redundancy. 

Redundancy  and  Correlafion  Factors  -  When  applied  to  electronics,  redundancy  can  be  a  very  effective 
way  to  enhance  reliability.  However,  as  Section  2. 3. 1.2,  “Product  Design  FMEAs"  points  out,  even 
electronics  can  be  susceptible  to  “common  cause”  or  “correlation"  failure.  These  are  the  types  of  failures 
that  can  negate  the  benefits  of  redundancy  due  to  a  single  event.  Product  Design  FMEAs  have  proven  beneficial 
in  reducing  vulnerability  to  correlated  failures  in  electronics  systems  and  may  prove  to  be  beneficial  in 
the  analysis  of  propulsion  systems.  None-the-less,  propulsion  systems,  like  any  high  energy  system,  are 
inherently  more  vulnerable  to  correlated  failures.  This  is  supported  by  the  study  of  the  shuttle  main  engine 
development  history  which  is  summarized  in  Section  2.1.4  and  provided  in  detail  in  Appendix  A.1  “An 
ln\,estigation  of  Historical  Failure  Correlation  Factors  Using  the  Shuttle  SSME  Flight  History  as  an 
Example." 

Controls  and  Variability  -  When  redundancy,  for  whatever  reason,  is  not  an  option  when  conducting 
an  FMEA,  the  failure  mode  is  “controlled"  either  by  designing  the  failure  mec.'  anism  directly  out  of  the 
system  or  by  placing  more  stringent  controls  on  manufacturing  and/or  testing.  Designing  a  failure 
mechanism  out  is  usually  not  a  viable  option  because  it  requires  a  physically  different  way  of  obtaining  the 
same  function.  Thus,  manufacturing  or  testing  is  the  most  practical  way  of  constraining  the  failure  mode. 
The  only  problem  with  this  approach  is  that  if  methods  are  not  in  place  to  measure  the  effects  in  terms  of 
reduced  variability,  there  is  no  way  to  measure  the  impact  on  reliability. 

Reusability  -  Another  potential  problem  with  FMEAs  is  that  they  tend  not  to  be  “living"  documents  in 
the  sense  that  if  a  system  is  reused  or  is  reusable,  the  FMEA  is  not  structured  to  handle  the  potential  results. 
For  instance,  weld  failures  on  the  Space  Shuttle  Main  Engine  can  result  from  thermal  cycling  and  fatigue 
through  reuse.  The  FMEA  is  not  structured  to  conveniently  handle  this  situation. 

“Bottom  Up"  Methodology  -  As  has  been  previously  discussed.  FMEAs/FMECAs  are  “bottom  up"  meth¬ 
odologies  and  as  such  are  not  designed  to  list  all  potential  malfunctions  of  a  system,  only  those  which 
propagate  from  known  failure  modes  of  components  within  the  system.  Witnout  a  comprehensive  way  of  an¬ 
ticipating  system  or  subsystem  malfunctions  in  a  global  sense,  the  analyst  can  never  be  comfortable  that 
the  FMEA/FMECA  is  exhaustive.  A  “Top  Down"  methodology  as  described  in  Section  2. 3. 1.2  would  help 
overcome  this  “Bottom  Up"  obstacle. 
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1.3.2  Quantitative  Reliability  Analysis 

In  order  for  quantitative  reliability  analysis  to  be  effective  the  three  following  constituents  must  be 
present; 

1.  Meaningful  Reliability  Data/issues 

2.  Proper  Reliability  Analysis  Tools 

3.  Risk  Analysis  and  Management  Capabilities 

Meaningful  Reliability  Data/Issues  -  For  the  current  generation  of  launch  vehicles,  the  historical  data 
set  (see  Appendices  A.i  and  A. 3)  appears  to  be  both  meaningful  and  capable  of  addressing  the  key  reliability 
issues.  To  be  meaningful,  the  reliability  data  must; 

1 .  Be  complete  for  both  success  and  failure. 

2.  Have  failure  causes  consistently  identified. 

3.  Have  chronologies  of  failure  history  established. 

4.  Have  design  change  chronologies  established. 

In  order  to  be  effective,  however,  the  following  issues  must  be  resolved; 

1.  How  relevant  is  history  in  predicting  future  performance  in  a  developmental  system? 

2.  How  is  historical  reliability  growth  to  be  accounted  for? 

-  old  failures  less  than  new? 

-  How  are  design  changes  factored  in? 

3.  What  effect  does  hold  down  time  just  prior  to  launch  have  on  prevention  of  failures  which  otherwise 
would  occur  after  launch? 

These  issues  can  only  be  addressed  by  applying  the  appropriate  quantitative  reliability  models  using 
a  properly  developed  and  structured  historical  data  set. 

Quantitative  Reliability  Analysis  Tools  Specifically  for  Propulsion  Systems  -  Until  now  the  only 
quantitative  methodology  available  for  propulsion  systems  which  addresses  the  developmental  nature  of 
such  systems  have  been  traditional  reliability  growth  methods  (such  as  the  Duane  approach  and  Weibull 
methods)  and  D.  Lloyd’s  methodology  (see  Section  2.2.2).  Even  if  these  methodologies  were  adequate  in 
addressing  overall  launch  vehicle  reliability,  three  other  areas  should  be  considered  in  order  for  a 
quantitative  reliability  analysis  to  be  fully  effective. 

They  are. 

•  Estimation  of  Stage  Reliability 

•  Estimation  of  System  Reliability 

•  Estimation  of  Engine  or  Motor  Reliability 


A  method  of  estimating  launch  vehicle  reliability  is  summarized  in  Section  2.2.1  and  all  four  methods 
are  described  in  detail  in  Appendix  A. 3,  “Reliability  Analysis  for  Current  US  Launch  Vehicles". 
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Risk  Assessment/Management  -  Section  1 .3.1  has  described  the  limited  value  of  FMEAs/FMECAs  in  the 
quantification  of  reliability.  Although  they  are  useful  in  constructing  logic  models  (see  reliability 
techniques,  Figure  2),  strictly  speaking  they  can  only  be  used  to  quantify  consequences.  For  instance,  they 
can  be  used  to  quantify  total  number  of  welds  whose  failure  could  cause  loss  of  an  engine,  cluster,  stage, 
or  vehicle  (consequences),  but  this  approach  does  not  provide  the  analyst  with  the  quantitative  risk 
discriminating  information  required  of  a  decision  making  tool.  A  decision  making  tool  allows  the  analyst 
to  rank  individual  weld  failures,  for  example,  with  other  sources  of  propulsion  system  failures  in  order 
to  determine  where  to  best  expend  resources.  If  a  decision  is  made  to  expend  the  funds,  the  funds  must 
be  dedicated  or  “fenced  off"  and  made  distinct  from  management  reserve  funding.  Even  well  developed 
criticality  ranking  techniques  do  not  do  the  job  sufficiently  because  they  do  not  develop  rankings  at  the 
system  level  but  only  at  subsystem  or  lower  levels,  since  their  system  level  rankings  are  often  developed 
only  on  a  near  relative  basis.  This  approach  can  give  the  impression  that  a  thrust  vector  control  system 
single  failure  is  just  as  important  as  other  propulsion  system  elements  such  as  a  heat  exchanger  or  turbo¬ 
pump,  even  though  the  latter  may  have  several  orders  of  magnitude  higherfailure  probability.  The  solution 
to  this  problem  is  to  use  the  quantitative  reliability  analysis  tools  of  Section  1.3. 2. 2  in  conjunction  with 
Risk  Analysis/Assessment  techniques  as  described  in  Sections  2. 3. 1.3  and  2.3.2. 

Figure  8  (Section  2.3)  shows  the  relationship  of  risk  management  and  assessment  to  infrastructure 
controls  that  have  an  impact  on  reliability. 
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2.0  (TASK  2)  RELIABILITY  ENHANCING  METHODOLOGIES 


2.1  Lessons  Learned 

This  section  is  concerned  with  lessons  learned  either  as  a  direct  result  of  plant  visits  or  from  a  related 
analysis. 

2.1.1  Variability  Control 

Variability  control  was  highlighted  as  a  reliability  enhancer  at  Hercules  (West  Virginia)  and 
McDonnell  Douglas  (Huntington  Beach,  CA),  as  noted  in  Appendix  B. 

The  Hercules  trip  indicated  that  solid  rocket  motors  can  achieve  high  reliabilities  (>.999)  and  maintain 
these  reliabiiities  over  reasonable  production  runs  (as  many  as  1000  units/year),  if  the  proper 
reliability  considerations  are  included  in  the  design  and  development  phases  of  the  program  and  the  proper 
process  controls  are  in  place,  and  if  the  proper  test  program  remains  in  place.  The  process  control  system 
must  be  able  not  only  to  detect  penetrations  of  the  Upper  Quality  Limit  (UQL)  and  Lower  Quality  Limit 
(LQL),  but  also  trends  toward  unacceptable  quality  These  trends  must  be  thoroughly  investigated  and  tied 
to  causes,  the  causes  addressed,  solutions  derived  and  implemented,  and  control  mechanisms  directed  at 
controlling  key  process  parameters  verified  as  being  reestablished. 

2.1.2  Reusability 

Reusability  is,  on  the  surface,  a  design  goal  of  significant  program  benefit.  However,  the  benefits  of 
reusability  are  significantly  compromised  if  the  reliability  of  an  engine  is  adversely  affected  by  the 
requirement  for  reuse.  Besides  the  direct  costs  involved  in  developing  a  reusable  design,  there  now  appears 
to  be  a  significant  indirect  cost  required  to  maintain  reliability  in  reusable  design.  For  example, 
reusability  by  its  very  nature  tends  to  decrease  the  production  run.  When  production  runs  are  decreased, 
investments  in  automated  production  equipment  becomes  less  economical  and  the  production  process 
therefore  tends  to  become  more  prototypical.  Prototypical  production,  especially  of  complex  equipment, 
increases  the  problem  of  variability  control  and  therefore  substantial  post  production  testing  may  be 
required  to  ensure  high  reliabilities.  A  good  example  of  such  an  indirect  impact  on  reusability  was  seen  at 
the  Roc.-^eldyne  SSME  production  facility  in  Canoga  Park,  California. 

2.1.3  Performance  Indicators 

For  high  reliability  programs  it  is  important  to  identify  early  on  symptoms  of  the  process  which 
presage  deterioration  in  performance.  This  has  been  done  in  the  financial  community  by  the  development 
of  a  set  of  “leading"  performance  indicators  and  developing  performance  trends  based  upon  the  indicator 
trajectories  through  time.  If  such  a  set  of  indicators  could  be  developed  and  trended  for  advanced  propulsion 
system  development  programs,  the  indicator  trajectories  might  provide  early  warning  of  problems  arising 
during  deveiopmont  and  operation  This  early  warning  could  provide  the  time  required  to  institute 
corrective  action  before  actual  program  reliability  performance  is  affected. 


2.1.4  Correlation  Factors  (See  Appendix  A.1) 

Given  the  current  state  of  rocket  engine  technology,  there  exists  a  finite  probability  of  catastrophic 
engine  failure  during  a  vehicle  launch.  A  catastrophic  engine  failure  is  considered  one  in  which  the  engine 
does  not  shut  down  in  a  controlled  manner  and  includes  uncontrolled  fire,  explosion,  breach  of  the  pressure 
boundary,  shrapnel,  complete  loss  of  fuel  or  oxidizer  supply,  or  a  combination  of  these.  Given  that  an  engine 
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has  failed  catastrophically  in  flight,  an  immediate  concern  is  for  other  critical  hardware  in  the  vicinity 
of  the  failed  engine.  For  vehicles  configured  with  multiple  engines  in  a  cluster,  the  question  becomes 
whether  the  catastrophic  failure  of  one  engine  will  result  in  the  catastrophic  loss  of  the  entire  engine 
cluster. 

In  the  present  study,  the  correlation  between  a  catastrophic  failure  of  a  Space  Shuttle  Main  Engine 
(SSME)  and  the  propagation  of  that  failure  to  include  the  entire  SSME  three  engine  cluster  has  been 
developed  based  upon  the  SSME  Test  History. 

Conclusions  -  In  the  development  of  future  launch  vehicles,  the  potential  benefit  of  engine  out 
capaoilities  must  be  weighed  against  the  risks  that  if  an  engine  fails  in  an  uncontrolled  manner,  it  will 
result  in  the  loss  of  the  entire  engine  cluster.  This  study  evaluated  the  SSME  which  is  flown  in  a  three  engine 
cluster.  No  uncontrolled  SSME  failures  have  occurred  in  flight.  Only  a  limited  amount  of  ground  testing  has 
actually  been  done  in  a  three  engine  cluster  and  although  failures  have  occurred,  none  have  propagated  to 
involve  the  entire  cluster. 

However,  the  test  data  evaluated  here  indicates  there  is  a  reasonable  probability,  approximately  1 7%, 
that  an  uncontrolled  SSME  failure  will  propagate  to  the  adjacent  engines  given  that  an  uncontrolled  failure 
occurs.  The  confidence  interval  is  between  4%  and  41%  that  a  failure  will  propagate  to  the  cluster  (at  95% 
confidence). 

A  sumrrary  of  the  results  of  the  data  review  is  given  in  Table  2. 

2.1.5  Correlation  vs.  Engine  Out  Capability(See  Appendix  A. 2) 

A  preliminary  correlation  factor  vs  engine  out  capability  study  was  conducted  using  the  following 
assumptions; 


•  Smaller  engines  are  more  reliable  than  larger  ones. 

•  Increased  plumbing  due  to  a  larger  number  of  engines  decreases  reliability. 

The  results  of  the  study  indicate  that  a  four  engine  configuration  would  be  the  most  reliable  if  correlation 
factors  are  not  taken  into  account. 

When  correlation  factors  are  between  20  and  27%  the  four  engine  configuration  is  no  better  than  a 
single  engine  configuration.  Section  2.1 .4  indicates  that  the  95%  interval  for  correlation  failure  is  4  to 
41%.  Therefore,  there  is  a  substantial  probability  that  correlated  failure  on  an  engine  design  which  is 
comparable  to  the  SSME  could  negate  engine  out  capability. 
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TABLE  2  SSMECORBELATIONOfFALUflE  FACTOR 


2.2  Historical  Data  Analysis 

Historical  Data  Analysis"  is  Intended  only  to  acquaint  the  reader  with  the  various  analytical  options 
presently  available.  In  tact,  as  is  discussed  in  Section  3.0  (Comparison  of  the  Methods  of  Section  2.2), 
there  is  insufficient  information,  as  well  as  limited  time  and  resources  available  to  the  study,  to  make 
a  thorough  comparison  of  methodologies.  Further  studies  are,  however,  recommended  as  stated  in  the 
Recommendations  Section. 

2.2.1  Y.  Shen's  Methodology  (Reliability  Analysis  for  Launch  Vehicles) 

The  performance  history  of  any  launch  vehicle  can  be  considered  as  having  two  time  periods,  the  early 
development  period  and  the  stable  performance  period.  During  the  early  development  period,  the 
unreliability  of  a  launch  vehicle  is  generally  high  and  unstable.  After  a  “failure  analysis  and  fix"  process 
in  combination  with  technical  and  design  improvements,  the  unreliability  of  a  launch  vehicle  goes  do-.vn 
and  stabilizes. 

This  effect  of  early  transient  behavior  followed  by  stable  reliability  behavior  is  indicated  in  Table  1  la 
for  the  Thor/Delta  family  and  Table  11b  for  the  Titan  family.  In  both  cases,  oscillating  reliability 
histories  are  observed  early  on  with  later  stable  performance.  It  is  also  interesting  to  note  that  Titan  I 
appears  to  have  never  reached  stability  and  the  Delta,  being  based  on  the  significant  Thor  history,  reached 
a  stable,  high  level  of  reliability  very  quickly. 

These  historical  reliability  growth  curves  are  developed  according  to  the  following  method. 

The  maximum-likelihood  estimator  (failure  ratio)  for  unreliability  can  be  defined  as: 

U  =  F/  L 


Where  F  is  a  cumulative  failure  number,  L  is  a  cumulative  launch  number  and  F  is  a  function  of  L 
The  easiest  way  then  to  estimate  the  average  unreliability  of  a  launch  vehicle  is: 

U,  =  F/L  ( 1  ) 

where  is  the  estimated  average  unreliability,  and  F  and  L  are  the  cumulative  failure  and  launch  numbers. 

As  was  mentioned  before,  the  reliability  growth  effect  must  be  considered  to  get  a  more  realistic 
estimation  of  the  unreliability.  In  the  present  model,  the  average  unreliability  is  defined  as 

U  =  U,-AU  (2) 

where  AU  is  the  correction  reliability  caused  by  the  reliability  growth  effect  and  can  be  explained  as 


AU  =  AF/L 
or 

AF  =  AU  •  L 

where  AF  is  the  correction  cumulative  failure  number. 


(3) 
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Averaging  both  sides  of  equation  (3).  we  get 


AF  -  aU 


AU  =  «  AF 


Substitute  equation  (1)  and  equation  (4)  into  equation  (2) 


U  = — •  AF 


The  estimation  of  the  unreliability  of  the  launch  vehicle  at  the  nth  launch  can  then  be  approximated  as 


''H- 

Ln  L  n 


N  Fr, 

T  .'Fi  -  il-  Li) 
i  >  1  i-  n 


where  L,  is  the  i'^  launch  number,  and  f ,  s  tha  cumulative  failure  number  at  i'''  launch. 
The  reliability  R„  at  the  n  -  launch  is 


N  Fn 

S  {Fi  -  --•  Li) 
=  1  L  n 


Rn=  I  -  Un='l  •  I  — 


The  concepts  of  confidence  level  bas  -d  on  the  value  of  average  reliability  from  equation  (7)  are  now 
illustrated  as  the  following 

Let  N  be  the  launch  number,  then  X  ==  N  •  R„  is  the  success  number.  In  this  case,  the  5th  percentile 
confidence  is  given  by  - 


Rq  05  - 


X  J  ;  I )  -  X  T  ! )  F q  5(  2  n-  2  x  +  2 ,  2  x  ] 


and  the  95th  percentile  confidence  is  given  by- 


1^0.95 


;  x  +  1  )  Fq  95(  2x4-2,2n-  2x) 
(n-x)  +(x+1)Fo95(2x  +  2,2n-2x) 


where  F^(  n,,nj)  is  the  100  percenlifa  o  -  distribution  with  n,  numerator  and  n^  denominator  degrees 
of  freedom. 


TABLE  3:  AN  EXAMPLE  OF  A  TEST  SEQUENCE  PERFORMED  ON  A  SOLID  ROCKET,  ITS  RESULTS  AND  RELIA- 
_ BILITY  COMPUTATION  USING  D.  LLOYD’S  METHOD _ 

Test  Monthsof  Re-  Value  of  failure  f  =  1-(1-Y)''" 

no.  testing*  suits  -  ^  Remarks 


1 

0 

S 

0.000 

1 .000 

Successful  test 

2 

3 

S 

0.000 

1.000 

Successful  test 

3 

5 

F 

1 

1.000 

0.667 

Failure  mode,  f, 
case  burnthrough 

4 

8 

S 

1 

1.000 

0.750 

Successful  test 

5 

1  1 

S 

0.900 

0.900 

0.820 

f,  corrected,  internal 
installation  added, 
success 

6 

12 

S 

0.684 

0.684 

0.886 

Successful  test 

7 

13 

S 

0.536 

0.536 

0.923 

Successful  test 

8 

1  4 

F 

0.438 

1 

1.438 

0.820 

Failure  mode,  fj 

TVA  failure 

9 

1  6 

S 

0.369 

1 

1 .369 

0.848 

TVA  not  tested 

1  0 

18 

S 

0.319 

0.900 

1 .219 

0.878 

Successful  test  of 

TVA  fix 

1  1 

20 

F 

0.280 

1 

1 

2.280 

0.793 

Failure  mode  fj  re¬ 
curs,  f. 

1  2 

21 

S 

0.250 

1 

1 

2.250 

0.812 

TVA  not  tested 

13 

23 

S 

0.226 

0.900 

0.900 

2.026 

0.844 

Successful  test  of  2nd 
TVA  fix 

14 

25 

S 

0.206 

0.684 

0.684 

1.574 

0.888 

Successful  test 

15 

28 

S 

0.189 

0.536 

0.536 

1.261 

0.916 

Successful  test 

16 

29 

F 

0.175 

0.438 

0.438 

1 

2.051 

0.872 

Spec,  violation, f. 

1  7 

30 

F 

0.162 

0.369 

0.369 

1 

1 

2.900 

0.829 

2nd  spec  violation,  fj 

18 

32 

S 

0.152 

0.319 

0.319 

0 

0 

0.790 

0.956 

Spec,  change  elimi¬ 
nates  f,,  f; 

19 

32 

S 

0.142 

0.280 

0.280 

0 

0 

0.702 

0.963 

Successful  test 

20 

33 

S 

0.134 

0.250 

0.250 

0 

0 

0.634 

0.968 

Successful  test 

21 

35 

S 

0.127 

0.226 

0.226 

0 

0 

0.579 

0.972 

Successful  test 

22 

37 

S 

0.120 

0.206 

0.206 

0 

0 

0.532 

0.976 

Successful  test 

23 

39 

S 

0.1 14 

0.189 

0.189 

0 

0 

0.492 

0.979 

Successful  test 

24 

40 

s 

0.109 

0.175 

0.175 

0 

0 

0.459 

0.981 

Successful  test 

25 

42 

s 

0.104 

0.162 

0.162 

0 

0 

0.428 

0.983 

Successful  test 

*  Number  of  months  after  start  of  test  program,  not  length  of  test. 

Notes:  Test  no.  4:  failure  from  test  no.  3  (I,)  is  not  yet  diminished  because  corrective  action  is  not  implemented  until  test  no. 
5:  f,  continues  to  diminish  in  all  subsequent  tests  since  it  does  not  recur. 

Test  no.  9:  failure  from  test  no.  8  (f,)  is  not  diminished  because  the  thrust  vector  actuator  (TVA) subsystem  is  not 
'hooked  up*  until  fix  is  implemented  and  successfully  tested  in  test  no.  10. 

Test  no.  11:  failure  from  test  no.  8  (f,)  recurs:  therefore,  fix  implemented  in  lest  no.  10  is  not  considered  successful,  and 
both  TVA  failures  are  reinstated  as  full  failures. 

Test  no.  12:  TVA  is  not  tested  while  failure  mode  is  undergoing  engineering  analysis,  therefore,  f,  and  f,  are  not  oimmished: 
Test  no.  13:successful  test  of  new  TVA  fix  applies  to  both  failures  (f,.  !,):  therefore,  values  of  both  failures  are  diminished 
TVA  failure  does  not  recur  in  the  remainder  of  the  example  and,  therefore,  both  failure  values  continue  to  diminish. 

Test  no.  16:  small  performance  anomaly  occurs:  however,  it  is  outside  current  specification  limits  and, therefore,  must 
be  considered  a  failure  (fj. 

Test  no.  17:  same  as  lost  no.  16  (I,). 

Tost  no.  18:  Corrective  action  lor  f,  and  f,  is  to  change  specifications/conditions  (with  customer  approval).  With  this 
change,  tests  16  and  17  become  "non-failures'  and  I,  and  f,  immediately  become  zero. 

Test  nos.  19-25:  all  are  successful,  demonstrating  a  lower  probability  of  failure  for  f,,  f,  and  f,  failure  modes. 
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For  a  complete  discussion  of  this  methodology,  see  Appendix  A. 3. 


2.2  2  0.  Lloyd's  Methodology  (Taken  from  Reference  14) 

D.  Lloyd  developed  a  method  lor  estimating  and  forecasting  reliability  from  attribute  data,  using  the 
binomial  model,  when  reliability  re:;uirements  are  very  high  and  test  data  are  limited.  Integer  data — 
specifically,  numbers  of  failures — are  converted,  using  this  approach,  into  non-integerdata.  The  rationale 
is  that  when  engineering  corrective  action  for  a  failure  is  implemented,  the  probability  of  recurrence  of 
that  failure  is  reduced:  therefore,  such  failures  should  not  be  carried  as  full  failures  in  subsequent 
reliability  estimates.  The  reduced  failure  value  for  each  failure  mode  is  the  upper  limit  on  the  probability 
of  failure  based  on  the  number  of  successes  after  engineering  corrective  action  has  been  implemented.  Each 
failure  value  is  less  than  one  and  diminishes  as  successes  continue.  These  numbers  repla. e  the  integral 
numbers  (of  failures)  in  the  binomial  estimate. 

In  Lloyd’s  research,  this  metnod  of  reliability  estimation  was  applied  to  attribute  data  from  the  life 
history  of  a  previously  tested  system,  and  a  reliability  growth  equation  was  fitted.  It  was  then  "calibrated" 
to  allow  for  reliability  projections  to  be  db.’olonod  for  a  new  similar  system.  In  this  way,  the  model  allows 
for  management  to  discern  early  on  whether  the  system’s  ultimate  reliability  requirement  will  be  met  and, 
if  so,  when  is  it  likely  to  be  achieved.  By  comparing  current  estimates  of  reliability  with  the  expected  value 
'  omputed  from  the  model,  a  reliability  growth  forecast  can  be  obtained  by  extrapolation. 

An  example  application  of  Lloyd's  method  to  a  solid  rocket  program  is  shown  in  Table  3.  As  can  be  seen, 
the  methodology  predicts  a  significantly  higher  success  ratio  (.983  vs  .80)  than  would  be  obtained  without 
considering  growth. 


2.2.3  Curve  Fitting  (Polynomial) 

Polynomial  trends  are  of  the  form 
Y  =  A  +  BX  +  CX^  +  DX^  +  .  .  .  +  JX*" 

The  straight  line  is  a  special  case,  having  only  the  first  two  terms  on  the  right  of  the  equality  sign.  With 
three  terms  on  the  right,  the  polynomial  is  of  quadratic  form,  and  so  forth.  Typical  forms  are  shown  in 
Figure  3.  Generally  speaking,  if  is  unwise  to  fit  a  high-degree  polynomial  to  the  data  because  doing  so  almost 
assures  the  mixing  of  trend  and  cycle.  Also,  a  glance  at  the  figure  below  will  show  that  none  of  the 
polynomials,  other  than  the  straight  line,  can  be  extended  or  projected  very  far  without  going  off  the  page. 
Keep  in  mind  that  only  a  portion  of  the  curve  is  used  to  represent  the  trend. 
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Figure  3.  Typical  fornis  of  some  trend  equations. 

Of  course,  a  polynomial  can  be  forced  to  fit  the  data  quite  closely  by  adding  enough  terms.  A  well  known 
theorem  in  algebra  states  that  a  polynomial  of  degree  k  can  be  passed  through  k+t  points  ''n  a  plane. 
Accomplishing  this,  or  anything  near  to  it,  does  not  contribute  any  information  about  trend.  Thi8>  becomes 
evident  when  it  is  recalled  that  1  degree  of  freedom  is  lost  for  error  for  every  parameter  that  is  estimated 
from  the  data.  Thus,  if  there  are  n  observations  and  n  degrees  of  freedom  are  lost  in  fitting  a  polynomial 
of  degree  n-1 ,  0  degrees  of  freedom  left  for  error. 

All  polynomials  can  be  fitted  utilizing  the  method  of  least  squares. 


2.2.4  Bayesian  (Reference  15) 

Suppose  a  propulsion  system  is  being  built  with  a  0.95  reliability  requirement  at  the  90%  confidence 
level.  The  system  goes  through  a  number  of  tests:  component,  environmental,  subsystem,  system,  extended 
time,  etc.  There  are  failures  which  are  corrected  (permanently,  it  is  hoped).  A  final  configuration  is 
attained.  It  is  also  assumed  that  the  project  is  at  least  50%  sure  that  a  0.95  reliable  system  has  been 
achieved  If  thirteen  tests  are  run  with  no  failures,  has  the  0.95  requirement  been  met?  The  classical 
binomial  approach  (see  section  2.2.5)  would  indicate  that  the  requirement  has  not  been  met. 

This  problem  is  typical  of  today’s  work  in  the  aerospace  industry:  few  systems,  few  tests,  compressed 
schedules  and  high  reliability  requirements  and  costs.  The  limited  number  of  samples  for  test  permit  no 
failures  since  even  one  failure  would  imply  an  intolerably  high  failure  rate.  Indeed,  all  ‘hi-rer  programs 
have  -failure  recurrence  prevention”  systems.  All  failures  are  -fixed"  and  -closed".  These  activities, 
in  effect,  imply  that  at  time  of  -buy  off,”  no  failures  should  occur  on  qualification  or  demonstration  tests. 
Hence,  any  solution  to  the  reliability  demonstration  problem  should,  as  a  practical  matter,  address  itself 
to  zero  failures  and  few  trials. 
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Bayes  Theorem,  in  the  continuous  case,  states: 

I  gT  MP)  P)cip 


■  -  \  •  -  '  1  •  / 


J, 


g-(  r  IP)  w{  p)  dp 


(1  ) 


Here,  R 
r 

a(Mp) 

w(p) 


=  lower  (Bayesian)  confidence  limit  of  the  true  reliability,  p; 
=  observed  number  of  failures  in  n  trials; 

=  the  conditional  probability  density  function  of  r  given  p;  and 
=  the  a  priori  frequency  function  cf  p. 


In  the  binomial  case, 


Here  |  =  The  number  of  combinations  cf  n  things  taken  i  at  a  timo, 
q  =  1  -p 


It  is  assumed  that  the  engineer  is  capable  of  assigning  a  probability,  P  (degree  of  belief)  to  the  event 
that  the  required  reliability ,  or  more,  has  been  attained  prior  to  test.  It  is  also  assumed  that  this  prior  belief 
declines  linearly  to  sem  ts;  p  =  o  and  p  =  100%. 


Thus,  w(p)  takes  the  form  of  the  triangle  distribution  as  toliows, 
w(p)  = 


w(  p) 


R 


_  TP(  1-  p) 


for  0<p<R 


for  R<pi  1 


(  1-  R) 

Here,  P  =  prior  probability  of  having  the  required  reliability,  R. 


That  w{p)  does  have  the  proper  values  can  be  seen  by  obtaining  the  required  heights  at  R  and  multi¬ 
plying  these  frequencies  by  t.f'e  oases  H  and  (1  H)  of  the  triangibC  of  (3)  and  (4).  Then  for  the  left  hand 
interval.  (0,  R|,  we  t:a''o  at  p  =  ft. 


w(  R) 


2(2-_P)  R 
ft 


2_(_1  -_P2_ 
R 


Area  over  (0,R)  =  1-P 

2 
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Similarly  at  p  =  R  for  the  right  hand  interval,  (R,  1),  we  have 


Area  over 


R  1)  _  (1-  R)W(R)  _  (1-  R)2P(1-  R)  _  p 


2(1-R) 

Note;  The  discontinuity  at  R  is  of  probability  measure  zero. 

Inserting  (2),  (3),  and  (4)  in  (1)  yields,  after  cancellation  and  simplication, 


Prob(  R<p<1 ) 


1 


2r‘’  n  -f+1  f 

(  1-  P)  (  1-  R)  p  qc|o 


1  +■ 


2f^  n- f  f+1 

(P)(R)  p  q 

•'R 


Figure  4  graphically  displays  equation  (5).  Note  that  in  this  case,  thirteen  tests  with  zero  failures 
are  adequate  fo  demonstrate  a  reliability  of  0.95  at  90%  confidence  (given  a  0.5  on  the  Bayesian  Prior 
scale). 

While  there  can  be  no  doubt  that  Bayesian  methods,  as  can  be  seen  from  this  example,  can  provide 
significant  test  reduction  to  demonstrate  a  reliability  requirement,  performing  the  analysis  requires  the 
development  of  a  prior  distribution  which  is,  at  least  to  some  degree,  subjectively  based.  Also,  Bayesian 
approaches  are  highly  sensitive  to  the  prior  distributions  used.  If  no  meaningful  estimate  of  the  prior 
probability  of  success  can  be  made,  none  of  the  above  conclusions  apply.  Particularly,  one  must  be  wary 
of  consistent  optimism  or  pessimism  when  records  of  success  do  not  support  the  prior  probabilities. 

For  example,  if  optimism  about  a  new  design  is  guarded  and  feasibility  tests  are  few  or  non-existent, 
then  the  analysis  is  driven  towards  a  rectangular  prior  (equally  probable  prior  intervals),  and  the 
results  are  just  as  unfavorable  (in  terms  of  the  large  number  of  tests  required)  as  they  are  for  the  binomial 
distribution.  In  other  words,  since  one  cannot  be  over  0.5  on  the  prior  scale,  11  tests  are  required  with 
zero  failures  to  be  .90  reliable  at  90%  confidence,  the  same  as  the  binomial.  This  defeats  the  purpose 
of  the  Bayesian  approach. 


Figure  4 


..  d 


V 


Number  of  trials  with  0  failures  to  achieve  90%  confidence  that  reliability  R  has  been 
attained  when  a  Bayesian  prior  is  used. 
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The  following  are  two  examples  of  applying  Bayes  Theorem. 


Figure  5.  The  prior  and  posterior  distribution  in  example  1. 

Figure  5  portrays  the  results  of  applying  Bayes  Theorem  to  estimate  the  unreliability  of  the  material 
(LX-13  or  Exter)  which  is  an  extrudable  high  explosive  used  in  a  variety  of  systems  (Ret.  15).  As  can 
be  seen,  the  posterior  distribution  is  not  much  different  from  the  prior  distribution.  In  this  case,  the 
present  observed  data  (failure  numbers,  test  numbers)  is  relatively  small  compared  with  the  previous 
data,  and  the  prior  distribution  is  given  great  weight  in  the  final  unreliability  estimation. 


q 

Figure  6.  The  prior  and  posterior  distribution  in  example  2 

Figure  6,  on  the  other  hand,  portrays  the  results  oi  applying  Bayes  Theorem  to  estimate  the  annual 
pump  unreliability  for  pressurized  water  reactor  (PWRS)  in  commercial  operation  in  the  United  States 
(Ref.  15).  It  is  observed  that  the  posterior  distribution  is  much  less  diffuse  than  the  prior  distribution 
as  a  consequence  of  incorporating  the  obeserved  data.  In  this  case,  the  present  observed  data  set  is  large 
and  it  is  given  much  weight  in  the  final  estimation. 
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2.2.5  Classical  Binomial  Approach 


The  “traditional"  approach  to  reliability  demonstration  in  a  go-no-go  type  environment  is  the  well 
known  Binomial  distribution. 

Stated  mathematically  the  Binomial  Distribution  is  as  follows: 

N  NO< 

=1-C.  ifN<S<0 

where; 

S  =  number  of  successful  start  tests 
N  =  number  of  trials 
R  =  reliability 
C  =  Confidence  level 
where  it  is  assumed  that 

•  Trials  or  tests  are  independent 

•  Each  trial  results  in  success  or  failure 

•  The  reliability  (probability  of  success)  of  each  system  is  the  same  on  each  trial 

•  The  number  of  tests  is  fixed  in  advance  of  the  demonstration  test 

Note  that  it  would  take  45  tests  with  no  failures  to  demonstrate  0.95  reliability  at  9Q%  confidence  (see 
Table  4). 
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Number  of  Tests  Without  Failure  Vs  Reliability  and  Confidence  Level 
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2.3  Baseline  Reliability  Enhancement  Methodology  Identification 

2.3.1  Proposed  Infrastructure  Controls  Affecting  Reliability 

Figure  7  illustrates  how  various  activities  related  to  the  categories  of  design,  manufacturing,  test, 
transportation,  storage  and  operation  can  have  an  effect  on  reliability.  Each  category  has  listed  underneath 
it  examples  of  reliability  enhancing  technique  and  tools.  They  represent  a  cross  section  of  ideas  accumulated 
during  the  site  visits  of  Task  1.  Some  of  the  techniques  are  well  known  and  proven,  such  as  reliability 
predictions/trade  offs.  Others  are  not,  such  as  operating  characteristic  curves  vs.  reliability. 

The  following  is  a  discussion  of  proposed  infrastructure  controls  intended  to  enhance  reliability.  The 
discussion  is  divided  into  quantitative  and  qualitative  approaches  followed  by  a  discussion  of  risk  assessment 
as  a  decision  making  tool. 

Quantitative  Approaches  -  Analysis  of  Historical  Data  (See  Section  2.2),  PRACA/FRACA  Trending  - 
In  order  for  a  Problem/Failure  Reporting  and  Corrective  Action  system  to  be  suitable  foi  maihematical 
trending,  basic  changes  must  take  place  in  the  way  information  is  recorded  and  tracked  (see  Section 
1.1. 3. 2).  These  changes  include  as  a  minimum; 

•  Recording  total  operating  times  on  tailed  as  well  as  unfailed  components 

•  Total  number  of  cycles  or  trials  (both  successes  and  failures) 

•  Inclusion  of  reports  of  all  component  malfunctions,  even  those  which  were  non- 
catastrophic  and  occured  on  non-critical  components. 

Operating  Chaiacteristic  Curves  Correlated  to  Failure  Modes/Rates  -  The  example  that  follows 
illustrates  one  method  of  connecting  defect  rates  from  Q.C.  sampling  plans  to  reliability  calculations  for 
hardware.  Although  this  example  is  tor  solar  array  calculations,  there  is  every  reason  to  believe  that  a 
similar  approach  could  be  used  for  propulsion  systems. 

•  Data 

-  If  entire  population  had  random  defect  rate  of  0.65%,  one  would  expect  to  reject  10%  of  lots  due  to 
the  randomness  of  sampling  process.  Figure  1 2  (page  73)  illustrates  the  use  of  MIL-STD-414  for  the 
purpose  of  determining  the  1 0%  reject  rate.  The  0.65%  defect  rate  corresponds  to  a  90%  confidence  for 
the  lots  expected  to  be  accepted  or,  conversely,  1 0%  are  expected  to  be  rejected.  Assume  that  the  MIL-STD 
414  plan  has  thus  far  rejected  58/434  =  13.4%  of  lots 

-  This  result  is  indicative  of  non  homogeneous  population  wherein  some  lots  are  worse  than  0.65%  and 
therefore  have  a  higher  probability  of  being  rejected;  clustering  of  bad  lots  is  also  indicative  of  non- 
homogeneous  population 

-  Thus,  residual  defect  rate  in  the  accepted  lot  subpopulation  will  be  less  than  0.65%  per  test;  assume 
observed  rate  in  lots  accepted  to  date  is  0.65% 

•  For  purposes  of  an  example,  consider  estimating  solar  array  reliability,  a  failure 
probability  of  0.25%,  will  be  assumed  for  each  interconnect  over  the  course  of  the  three  year  mission 
(conservative) 


•  Each  quarter  string  consists  of  an  average  quantity  of  39  cells 

•  Power  margin  allows  subsystem  to  accept  22  quarter  string  failures  in  each  of  two  sets 
of  992  quarter  strings 
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Assessing  the  chance  and  consequence  of  being 
unable  to  obtain  higher  reliability,  when  it  is  needed, 
within  the  allocated  financial  resources. 


The  process  which  encompasses  the  identification,  assessment,  tracking,  control,  and  mitigation  of  risks  related 
to  reliability  and  results  in  overt  actions  to  accept  known  risks  or  to  make  adjustments  which  control  their  potential 
consequences. 


Figure  7.  Infrastructure  controls  proposed  to  enhance  reliability. 
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•  Two  of  four  interconnects  on  a  cell  are  pulled  as  part  of  sampling  test;  failure  probability 
per  pull  estimated  as  0.25%:  two  tested  interconnects  are  from  either  end  of  cell;  data  from  immediately 
adjacent  interconnects  is  not  available. 

-  Correlation  between  pull  strength  values  from  same  cell  analyzed  and  found  to  be  .38  for  all  lots  tested, 
.54  for  the  ten  “bad”  lots  tested,  and  .32  for  “unknown”  lots;  value  would  be  somewhat  smaller  yet  if 
attention  were  restricted  only  to  lots  accepted  by  sampling  process 

-  Correlation  of  .32  means  that  knowing  the  strength  of  one  interconnect  helps  one  predict  the  strength 
of  a  second  interconnect  on  the  same  cell  (.32  .32)  =  .10  or  10%  more  accurately  than  one  could  predict 
it  without  knowing  the  first  value;  the  square  of  the  correlation  is  known  in  statistics  as  the  coefficient  of 
determination. 


•  Probability  of  both  interconnects  failing  is: 

-  PR  (first  failing)  *  PR  (second  failing/first  fails); 

-  PR  (A/B)  read  as  probability  of  A  given  that  B  is  known  to  occur 

-  If  totally  independent,  PR  (Second  Failing/First  Fails)  =  0.0025 

-  If  totally  dependent,  PR(Second  Failing/First  Fails)=1.0 

-  Since  the  1 0%  factor  developed  above  measures  the  strength  of  the  dependency  which  exists,  it  may 
be  used  to  interpolate  between  .0025  and  1.0  to  estimate  PR  (Second  Failing/First  Fails) 

(1.0  -  .0025)  MO  .0025  =  .10225 

•  Probability  of  two  interconnect  failures  out  of  two  on  same  cell  is  thus  estimated  at 
.0025  *  .10225  =•  .00026 

•  Since  adjacent  interconnects  are  probably  somewhat  more  correlated  than  those  at  either 
end  of  cell,  and  since  degree  of  correlation  is  not  known,  if  we  assume  that  interconnects  fail  at  both  ends 
of  the  cell,  then  (he  cell  will  fail  totally  .  Using  this  assumption  will,  of  course,  produce  somewhat  of 
an  overestimate  of  probabilities.  This  overestimate  is,  however,  small  compared  to  the  effect  being 
observed. 

-  This  means  we  will  estimate  (he  mission  failure  probability  for  a  cell  to  be  .00026. 

-  This  equates  to  a  cell  failure  rate  ri: 

-LN(1  -.00026)/26296  =  9.9E-9/HR 

-  A  quarter  string  wiCi  39  cells  will  t.nus  have  a  failure  rate  due  to  interconnects  conservatively 
estimated  at  39  *  9  9E-9  or  386E-9/HR 

•  The  impact  of  this  new  cell  failure  mode  on  the  array  is  to  change  the  failure  probability 
from  6.25  X  10  ®  to  6.21  x  1 0  "  ,  an  approximate  two  order  of  magnitude  change. 

Qualitative  Approaches  -  Product  Design  FMEAs  -  Although  Product  Design  FMEAs  are  not  unheard  of 
in  the  aerospace  industry,  very  few  companies  perform  them.  In  essence,  product  design  FMEAs  are 
structured  ’o  identify  sources  of  common  cause  failures  (sometimes  called  “coverage  factors"  or 
"correlatior  factors"  by  propulsion  manufacturers). 
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Although  the  following  product  design  description  is  directed  towards  electrical/electronics 
components,  a  similar  approach  could  be  used  for  propulsion  system  components. 

Product  design  Failures  Modes  and  Effects  Analyses  (FMEAs)  are  performed  to  verify  that  hardware 
reliability  and  integrity  is  maintained  when  electrical/mechanical  designs  are  implemented  as  hardware 
during  the  product  design  phase.  This  type  of  analysis  is  typically  done  between  PDR  and  CDR  after  drawings 
become  available,  but  before  they  are  released. 

This  analysis  is  particulaly  appropriate  for  examining  areas  where  redundant  or  backup  paths  are  in 
proximity. 

When  redundancy  is  implemented  by  using  separate  units,  there  is  generally  no  need  to  do  a  product 
design  FMEA  inside  each  unit.  However,  this  may  not  be  true  for  high  energy  systems  such  as  propulsion. 
In  either  case,  unit  external  interfaces,  e  g.,  input/output  cross-straps,  should  be  examined.  Example: 
product  design  criteria  are  listed  below.  Results  are  documented  on  Product  Design  FMEA  Forms.  Where 
negative  findings  occur,  remedial  action  is  recommended.  Adverse  conditions  are  to  be  justified  at  design 
audits. 

The  following  Reliability  Criteria  for  Product  Design  are  applied  in  performing  product  design  FMEAs 
f-^r  printed  circuit  boards,  connecters,  and  wiring  imerfaces: 

Cablino.  Hardnesses,  and  Wire  Bundles 

a)  Assure  that  fault  isolation  exists. 

b)  The  routing  of  all  wire  bundles  shall  be  such  that  all  possible  locations  where  wire  pinching  or 
chaffing  could  occur  are  eliminated  to  prevent  shorts  to  ground  or  shorts  to  different  voltage  or  signal 
source. 

c)  Assure  that  the  design  prevents  screw  threads  from  coming  into  contact  with  wire/leads  during 
assembly. 

d)  Provide  for  special  sleeving  where  wire  routing  is  adjacent  to  sharp  edges. 

e)  Prevent  excessive  pinching  of  wires  by  cable  clamps  by  properly  dressing  bundle  and  sizing  clamps. 

f)  Spot  bond  or  tie  wire  adjacent  to  standoffs  and  with  reasonable  distance  between  supports  such  that 
loads/joints  are  not  degraded  during  exposure  to  vibration  or  shock. 

g)  No  single  wires  or  single  solder  joints  shall  be  system  single  point  failures. 

Connectors 

a)  Similar  connectors  on  a  unit  shall  be  keyed,  color-coded,  or  have  other  mismating  protection. 

b)  Physically  separate  power  and  ground  pins. 

c)  Different  polarity  signals  shall  not  have  adjacent  pin  assignments  (Vis.;  +28Vdc,  -15Vdc). 

d)  Sensitive  low  level  signals  should  have  pin  assignments  physically  separated  from  high  level  power, 
high  level  signals,  or  ungrounded  returns  This  should  also  apply  to  grounds. 
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e)  Critical  power  or  signal  lines  shall  not  have  adjacent  pin  assignments. 

f)  Redundant  p-jwer  or  signal  lines  shall  not  have  adjacent  pin  assignments. 

g)  Review  pin  and  slip  ring  assignments  to  assure  that  shorts  between 
adjacent  pins  will  not  result  in  single  point  failures. 

h)  No  single  connector  pin  shall  be  a  system  single  point  failure. 

Printed  Circuit  Boards 

a)  Review  that  redundant  paths  are  kept  physically  separated  as  much  as  possible. 

b)  Traces  carrying  heavy  current  loads  shall  be  verified  as  having  adequate  load  carrying  capacity  per 
MlL-STD-275. 

c)  There  shall  be  no  open  daisy  chains  for  power  or  ground  paths. 

d)  Sufficiency  in  the  spacing  between  traces  depends  on  trace  voltages  and  conformal  coating  provisions. 
These  should  be  reviewed  against  Standard  Engineering  Design  Systems  to  confirm  that  trace-to-trace 
shorts  will  not  o  ecu  r. 

e)  A  grounding  circuit  trace  leading  to  board  edge  common  ground  should  be  filleted  at  the  lead-in  line 
to  prevent  development  of  cracks  in  circuit  conductors. 

f)  Check  that  redundant  paths  don't  go  through  the  same  piece  part,  e.g.,  a  dual  transistor  or  quad  1C. 

g)  If  there  are  any  single  PC  traces  or  plated-thru-holds  where  an  open  would  result  in  a  system  single 
point  failure,  hardwire  should  be  added. 

h)  Care  shall  be  taken  to  assure  that  high  heat  generating  parts  are  isolated  from  cirtical  signal  paths 
(via  distance/shielding)  to  preclude  burnout  of  PC  traces,  etc. 

i)  Ensure  that  solder  joints  are  inspectable.  Avoid  soldering  flush-mounted  parts  near  heat  sinks  or 
other  items  which  might  make  the  presence  of  solder  balls  undetectable. 

j)  Ascertain  that  the  block  diagram  or  schematic-illustrated  redundancy  is  reflected  by  the  wiring 
diagram. 

k)  Assure  that  solder  reflow  practices  for  boards  (or  within  parts)  will  not  reflow  or  degrade  prior 
connections, 

l)  Handling  and  installation  loads  for  cards  and  assemblies  must  be  reviewed  to  ensure  that  stresses 
imposed  on  joints  are  within  their  load-carrying  capability. 

m)  PC  traces  and  wiring  should  be  physically  separated  such  that  a  fault  is  isolated  and  will  not  cascade 
to  redundant  or  adjacent  elements 

n)  Verify  that  PC  boards  which  contain  redundancy  or  cross-strapping  elements  are  adequately 
protected  against  shorts  to  ground  (internal  and  external  to  the  board)  which  could  represent  a  system 
single  point  failure. 

0)  Plated-thru-holes  shall  have  an  aspect  ratio  (board  thickness  to  hole  diameter)  or  no  greater  than 
3  to  1. 
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FUNCTION  PROVIDED  OR  RESULTING  OUTPUT 


Function  Expected*  or  Output  Required 


5  .  .  .  n 


Part  of 
(n+4) 


Reverse 

(n+5) 


Other 

Than 

(n+6) 


'Obtained  from  a  clear,  concise,  unambiguous  set  of  Engineering  functional  descriptions 


Figure  8.  Top  down  matrix. 
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Manufacturing  Conirol  FMECAs  (See  Appendix  B:  MCDAC  Trip  report)  -  In  the  case  of  the 
manufacturing  control  FMECA,  the  FMECA  should  be  conducted  incrementally  by  reliability  engineering 
during  the  design  pnase  to  identify  single  point  failure  modes.  The  FMECA  should  be  used  in  the  Critical  Item 
Control  process  by  identifying  critical  items  and  the  causes  of  critical  failure  modes.  Proper  design 
controls  would  then  be  implemented  for  each  critical  item  and  can  be  verified  by  a  Manufacturing  Control 
Plan.  FMECAs  should  be  supplemented  with  failure  history  prior  to  FMECAs  of  related  designs  and,  along 
with  ti.e  failure  history,  should  be  made  available  to  designers. 

A  manufacturing  Control  Plan  should  contain  as  a  minimum  the  following  task: 

•  identify  flight  critical  items  (FCIs)  using  FMECAs 

•  Determine  flight  critical  characteristics  for  each  FCI 

•  Identify  specific  manufacturing  methods  for  each  FCI 

•  Prepare  Manufacturing  Flow  Chart  and  annotate 

•  Identify  Process  Control  for  each  select  manufacturing  method 

•  Identify  test  and.'or  inspection  methods  for  each  seiect  manufacturing  method 

Top  Down  Analysis  (L,  Booth  Method)  -  The  most  common  criticism  of  FMEAs  is  the  possibility  that 
not  all  conditions  ca'“=ing  system  anomalieo,  rnalfunctions  or  failures  are  attributable  to  inherent 
component  failures. 

One  way  to  audress  this  concern  is  by  conducting  a  “Top  Down"  analysis.  A  Top  Down  analysis  is  con¬ 
ducted  by  accomplishing  the  following  tasks 

•  Obtain  a  clear,  concise,  unambiguous  set  of  engineering  functional  descriptions 

•  Form  a  matrix  as  shown  on  Figure  8 

•  For  each  intersection  (square)  on  the  matrix,  describe  the  system  condition  (i.e.,  0  = 
nominal  thrust,  n+6  (other  than)  =  wrong  direction).  Therefore,  (0,  n+6)  means  correct  thrust,  wrong 
direction.  The  square  (0,0)  indicates  correct  nominal  thrust  was  required  and  correct  nominal  thrust  was 
delivered. 


•  Each  square  of  the  matrix  is  a  potential  “Top  Event"  (undesirable  condition). 

•  F^ipio, a  eaci:  top  event  (using  fault  trees,  event  trees  or  similar  techniques)  until  all 
conditions  leading  to  the  top  evc,'!t  ■■lu-f,  c.uiausted. 

Risk  Assessment  (reference  Figure  7)  -  Risk  assessment  can  be  characterized  as  follows: 

•  Risk  assessment  is  the  process  for  estimating  the  risk  associated  with  a  particular 
alternative  course  of  action 

•  Risk  assessment  considers  probability  of  failure  and  consequence  of  failure  as  they  relate 
to  technical  performance,  schedule,  ana  cost 
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Where 


Risk  is  the  probability  and  consequence  of  not  achieving  some  defined  program  goal  and  is  a  function  of: 


•  Probability  of  failure 

•  Consequence  of  failure 

-  Increased  Cost 

-  Extended  schedules 

-  Reduced  performance 

Risk  assessment  involves  these  steps  indicated  in  the  lollowing  diagram: 


Where  risk  levels  are  defined  as: 

High  1  he  problem  is  obvious  and  there  is  a  high  probability  of  failure  to  meet  reliability, 
performance,  schedule  or  cost  objectives.  Monitoring  and  control  must  be  rigorous,  with  frequent  update 
of  risk  status.  A  fail-back  or  alternative  system  or  plan  is  mandatory. 

Medium  -  The  problem  is  identifiable  and  would  impact  piuQiarri  rcIIaLillJy,  pc-formarice,  schedule, 
or  costs.  The  probability  of  occurence  is  high  enough  to  require  close  control  of  all  contributing  factors, 
establishing  of  risk  management  milestones,  and  an  acceptable  fail-back  position. 

Low  -  The  problem  is  identifiable  and  would  impact  program  objectives,  but  the  probability  of 
occurrence  is  low  as  to  cause  no  concern  other  than  normal  monitoring  and  control. 
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2.3.2  Risk  Managenient 


Risk  management  is  the  pmcess  which  encompasses  the  identification,  assessment,  tracking,  control 
and  mitigation  of  risks  related  to  reliability  and  results  in  overt  actions  to  accept  known  risks  or  to  make 
adjustments  which  control  then  potential  consequences 

Risk  assessment  assesses  the  chance  and  consequence  of  being  unable  to  obtain  higher  reliability,  when 
it  is  needed,  within  the  allocated  financiai  resources. 

Establishing  Factors  -  In  order  to  assess  and  manage  risk,  factors  must  be  established  based  on  tech¬ 
nical  risks  Facloib  can  be  ciiarac'erizeri  by  using  the  two  following  matrices  (Figures  9  and  10). 

Assessing  Economic  Risk  -  Given  the  icoormation  of  sections  2  3. 1,3and2.3,2.1  are  available,  the  most 
efficient  way  to  assess  economic  risk  is  to  use  an  established  model  tailored  to  the  rocket  industry.  The  model 
accounts  for  both  production  and  operational  processes  that  would  be  impacted  by  unreliability.  Additional 
economic  modeling  of  the  cost  ot  unreliability  to  customer  com'.nunifies  is  essential  to  gain  a  meaningful 
estimate  of  economic  risk.  Economic  models  must  evaluate  the  actual  cost  of  finite  activities  required  to 
reduce  risk  by  finite  amounts 

In  the  case  of  launch  vehicles,  most  individuals  recognize  the  direct  costs  of  unreliability  such  as 
residual  hardware  that  is  scrapped  due  to  more  rigorous  inspections  or  redesign  effort.  The  incorporation 
of  additional  quality  control  that  slows  production  rates  and  operational  process  timelines  while  increasing 
the  total  amount  of  personnel  and  facilities  that  are  required  to  support  the  vehicle  is  a  more  subtle  cost 
effect  of  unreliability  The  largest  cost  is  related  lo  payload  communities  that  suffer  direct  losses  in  the 
form  of  lost  hardware  and  higher  insurance  rates,  as  well  as  launch  schedule  backlog  effects  that  result  in 
program  slippage  that  has  cost  of  money  and  cost  of  storage  implications.  Actual  costs  of  unreliability  are 
difficult  to  estimate  accurately,  but  the  costs  may  be  bounded  from  documented  historical  events  that  give 
a  real  estimate  of  cost  risk  exposure. 

Perhaps  the  greatest  single  "cost"  of  unreliability  can  be  related  to  loss  of  strategic  capability  at  critical 
time  windows.  Forthe  military,  thismavbethe  absence  of  reL-onnaisance  capability  during  evolving  inter¬ 
national  crises  or  a  less  capable  navigation  or  communications  environment  for  operations.  For  the  private 
sector,  the  strategic  loss  may  be  ir.  the  form  of  lost  opportunity  to  penetrate  specific  markets  at 
advantageous  time  windows.  Unreiiaoil  ly  a^sc  results  m  loss  ot  national  stature  and  a  hinderance  in  the 
ability  to  successfully  compete  with  the  iniernationai  community. 

The  economic  risk  of  unreliability  is  but  one  element  of  the  overall  risk  assessment.  The  overall  risk 
is  a  combination  of  economic  nsk,  schedule  risk,  and  mission  capability  risk.  In  essence,  the  approach 
would  be  to  assign  relative  figures  cf  merit  (ranging  frem  9  to  i)  of  each  of  the  risk  factors  of  Figures  9 
and  10,  then  compare  the  summed  riSK  ’aciors  agamst  a  cest  ol  reducing  the  overall  risk.  The  program 
manager  can  then  look  cf  the  reiei  ve  cost  Penotit  of  risk  reduct.cn  investment  options  that  assures  ultimate 
program  v;rit;i!itv 
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Figure  9.  Typical  top-levei  factors 
contributing  to  probabilty  of  failure. 
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Typical  Top-Level  Factors 
Contributing  to  Consequence  of  Failure 
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Figure  10.  Typical  top-level  factors 
contributing  to  consequence  of  failure. 
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3.0  (TASK  3)  QUANTIFICATION  AND  PRIORITIZATION  OF  METHODOLOGIES 


In  many  cases,  there  is  insufficient  information  to  completely  quantify  and  prioritize  the  methodologies 
that  have  been  identified.  In  other  cases  they  are  difficult  to  prioritize  because  of  the  qualitative  nature  of 
the  methods.  In  any  case,  thorough  testing  of  the  various  methodologies  should  be  the  subject  of  future 
studies  (see  recommendations). 

3.1  Testing  of  Quantitative  Methods 

Three  areas  of  study  appear  to  be  promising.  They  are: 

•  Comparison  of  the  methods  of  Section  2.2 

•  PRACAyFRACA  Trending 

•  Connecting  Operating  Characteristic  Curves  to  Reliability 

3  1 .1  Comparison  of  the  Methods  of  Section  2.2 

Section  2.2  includes  a  description  of  a  selected  number  of  quantitative  methods  intended  to  indicate 
reliability  growth  as  well  as  demonstrating  the  achievement  of  a  prescribed  reliability  goal. 

Four  of  the  methodologies  -  Binomial  model,  Beta-Binomial  model  (Bayesian  Estimation),  Lloyd’s 
model  and  Shen's  model  for  estimating  reliabilities  of  launch  vehicles  from  attribute  data  are  introduced 
and  compared  in  a  preliminary  manner. 

Binomial  Model  -  The  simplest  way  to  estimate  the  reliabilities  of  launch  vehicles  is  to  use  the  Binomial 
model.  It  is  easy  to  perform  the  calculations,  but  a  large  size  sample  is  required  to  demonstrate  high 
reliability.  The  results  obtained  by  applying  this  model  do  not  account  for  the  reliability  growth  effect 
expected  during  the  developmental  history  of  the  launch  vehicles. 

Beta-Binomial  Model  (Bayesian  Estimation)  -  The  Beta-Binomial  model  is  based  on  the  Bayesian 
Estimation.  In  this  model,  several  similar  components  are  treated  as  a  single  class.  The  probability  pot  each 
component  in  the  class  is  assumed  to  be  constant  but  will  have  different  values  from  component  to  component 
[i.e.,  g(p)].  If  the  Binomial  distribution  is  used  to  obtain  the  probability  of  K  failures  in  n  tests  for  each 
component,  the  conjugate  distribution  g  (p)  for  the  class  is  the  Beta  distribution.  This  model  weights  the 
reliability  growth  effect  and  can  be  applied  to  forecast  the  reliabilities  of  launch  vehicles.  The  detailed 
theoretical  analysis  ran  be  found  in  Ref  19,  “Bayesian  Reliability  Analysis”  by  Harry  F.  Martz  and  Ray 
A.  Waller,  1982.  The  disadvantage  of  this  model  is  that  it  is  very  difficult  to  separate  the  total  sample  data 
into  several  similar  components,  unless  we  have  the  detailed  engineering  analysis  and  each  failure  model 
at  the  different  periods  of  the  launch  vehicle  developmental  history. 

Lloyd's  Model  (Ref.  14)  -  In  Lloyd's  model,  the  rationale  is  that  when  engineering  corrective  action 
for  a  failure  is  implemented,  the  probability  of  recurrence  of  that  failure  is  reduced;  therefore,  such 
failures  should  not  be  carried  as  full  failures  in  subsequent  reliability  estimates.  The  failure  value  for  each 
failure  model  is  assumed  to  be 

f  =  1-{1-Y)""  (1) 

where  y  is  the  confidence  level  and  n  is  the  number  of  successful  tests  after  corrective  action. 


Based  on  a  detailed  engineering  analysis  for  each  failure  mode,  the  result  of  failure  number  for  each 
failure  mode  can  be  obtained  by  solving  eq.  1.  The  final  result  of  the  reliability  estimation  is 
R  =  1  -  If/N,  where  D  is  the  cumulative  failure  number  of  all  failure  modes.  N  is  the  test  number. 

This  model  weights  the  growth  effect  and  can  be  extended  to  forecast  the  reliability.  For  this  model  one 
needs  to  know  not  only  at  which  launch  number  the  failure  occured,  but  also  at  which  launch  number  the 
failure  was  corrected.  The  confidence  level  chosen  in  eq.  1  directly  affects  the  final  results  and  is  difficult 
to  justify  The  confidence  level  for  the  final  result  R  =  1  -  Xf/N  is  not  clear. 

Shen’s  model  (Ref  Appendix  A. 3)  -  In  Shen  s  model,  the  reliability  Rn  of  a  launch  vehicle  at  the  n'^ 
launch  is  obtained  as 

N 

Rn  =  1  -  Um  =  1  -  [  Frr'  Ln  -  2 L  rf  F  -  F  rr'  L  r.-  L  .)  /  N]  (2) 

]=.  1 

where  U,  is  the  unreliability  at  n'*^  launch 

F,^  is  the  cumulative  failure  number  at  n'^  launch 
L„  IS  the  n'*^  launch  number 
F  IS  the  cumulative  failure  number  at  i‘'^'  launch 
L  is  the  r*"  hunch  number. 

The  term  F^/L^  in  eq  2  is  the  estimated  average  unreliability  at  the  n’^  launch.  The  term 

H 

2/  Ln*  Fr  FrV  Ln*  Li)  /  N  in  eq.2  is  the  corrective  unreliability  caused  by  growth  effect. 


This  mode!  is  simple  and  easy  tn  apply  it  weights  tfie  growth  effect  and  can  be  extended  to  predict  the 
future  reliabilities  of  the  launch  ve  hcles.  The  final  results  of  the  model  are  obtained  directly  from  the 
collected  data  in  which  only  the  launch  numbers  at  which  the  failures  occured  need  to  be  known. 

However,  since  this  model  does  not  assume  any  knowledge  of  what  ctianges  were  made  subsequent  to 
failures,  it  does  not  directly  incorporate  the  effects  of  engineering  analysis  and  corrective  action  taken 
after  each  laiiure  For  this  reason,  its  '•eliabildy  growth  forecast  lags  that  of  Lloyd’s  method. 

Frc" :  the  above  analysis  of  these  four  methodologies,  the  Lloyd's  model  and  Shen's  model  are  considered 
to  be  tfte  tetter  rr.odels  for  estimating  reliabilities  of  launcn  vehicles. 

Fig  1 1  illustrates  the  results  by  applying  Lloyd  s  and  Shen's  models  to  an  example  from  Ref.  1 .  As  we 
can  see.  the  tendencies  of  the  results  for  both  models  are  similar,  the  values  of  estimating  reliability  from 
Lloyd's  model  are  higher  then  those  from  Shen's  model. 

In  the  present  study,  based  on  the  collected  data,  the  Shen  model  is  used  to  estimate  the  reliabilities 
for  twenty  four  U  S  launch  vef;icle.s.  The  growth  trends  obtained  from  the  model  are  shown  in  Figures  11a, 
and  1 1b  for  the  Delta  and  Titan  famnlies  of  lav'irh  vehicles. 


Reliability 


Launch  Numbers 

Figure  11a.  Reliability  estimation  of  Thor  and  Delta. 
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Figure  1 1  b.  Reliability  estimation  of  Titan  I,  II,  III. 
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3.1.2  PRACA/FRAC A  Trending 

An  additional  dimension  could  be  added  to  PRACA/FRACA  system  to  allow  trending  if  a  “cradle  to  grave" 
concept  were  established.  Under  the  current  circumstances  PRACA/FRACA  systems  frequently  report  only 
through  the  testing  phase  (except  for  reusable  systems)  and  do  not  always  report  on  total  time  and  cycles 
on  both  failed  and  unfailed  components. 

In  addition,  PRACA/FRACA  systems  should  include  not  only  failure  phenomenon  but  precursors  to 
failure  problems  as  well.  Such  precursor  problems  should  include  unexpectedly  low  margins  or  largerthan 
expected  variability.  The  corrective  actions  should  be  accomplished  interactively  with  system  functional 
descriptions  and  the  FMECA  to  insure  that  those  efforts  are  up  to  date  while  the  search  for  root  cause  is 
pursued. 

In  order  for  an  evaluation  of  PRACAs/FR  AC  As  trending  capabilities  to  be  affected,  a  pilot  program  needs 
to  be  established  using  the  trending  techniques  of  reference  2. 

3.1.3  Operating  Characteristic  Curves  and  Reliability 

An  example  was  given  in  Section  2.3.1 .1  correlating  operating  characteristic  curves  to  failure  modes 
and  failure  rates.  Reference  1 7  illustrates  some  recent  work  in  this  area.  In  this  work  an  effort  was  made 
to  tie  safety  factors  developed  in  the  traditional  engineering  approach  to  resulting  structural  reliability 
using  a  probabilistic  representation  of  these  traditionally  developed  factors. 

Figure  12  illustrates  the  relationship  of  defect  rates  (quality  of  submitted  lots)  to  operating 
characteristics  (OC)  curves.  In  this  way,  changes  in  sampling  plans  and  procedures  could  be  linked  to 
criticality  ranking  in  FMECAs. 

For  example,  suppose  the  amount  of  moisture  in  a  bonding  liner  polymer  used  in  solid  rocket  motor  cases 
is  linked  to  poor  quality  of  bonding,  thus  to  separation.  A  change  in  the  sampling  procedure  could  reduce 
the  defect  rate  and  reduce  the  potential  for  failure  by  a  similar  amount. 

A  study  should  be  undertaken  to  test  the  validity  of  such  a  link. 


3  2  Evaluation  of  Qualitative  Methods 

As  was  noted  earlier,  it  is  difficult  to  prioritize  qualitative  methodologies.  However,  the  three  methods 
that  do  show  promise  based  upon  the  information  obtained  from  this  study  effort  are; 

•  Top  Down  Analysis 

•  Product  Design  FMEAs 

•  Manufacturing  Interfaces 

Tests  of  these  techniques  could  help  to  more  firmly  establish  these  capabilities.  Suggested  tests  are 
defined  below: 

3.2.1  Top  Down  Analysis 

In  order  to  rate  the  value  of  “Top  Down  Analysis”  when  conducted  in  accordance  with  the  method 
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Figure  12.  Operating  characteristic  curves  for  sampling  plans  based  on  standard  deviation  method. 
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described  in  Section  3. 2. 1.2,  the  results  of  an  FMEA  should  be  compared  to  the  results  of  a  Top  Down 
analysis. 

3.2  2  Product  Design  FMEAs 

Product  Design  FMEAs  have  proved  to  be  valuable  in  identifying  and  eliminating  sources  of  common 
cause  failures  in  electrical/electronics  applications  (see  Section  2.3.1 .2).  A  study  should  be  undertaken 
to  see  if  a  Product  Design  FMEA  would  be  fruitful  when  applied  fo  the  non-electronic  propulsion  subsystems. 

3.2.3  Manufacturing  Interfaces 

Flight  critical  item  and  manufacturing  control  plans  have  a  great  deal  of  potential  for  controlling 
critical  items  as  described  in  Section  2.3.1 .2  “Manufacturing  Control  FMECAs".  The  effectiveness  of  such 
an  approach  remains  to  be  demonstrated,  however.  A  study  should  be  undertaken  to  demonstrate  the 
effectiveness  of  manufacturing  control  FMECAs. 

3.3  Prioritization  of  Me  nodologies 

The  prioritization  of  methodologies  cannot  be  completed  until  the  studies  described  in  this  section  are 
completed. 


KEY  RECOMMENDATIONS 


The  following  areas  have  been  identified  as  having  significant  reliability  impact.  These  areas  each 
warrant  further  in-depth  study  if  the  high  reliability  goals  of  the  Air  Force  advanced  launch  vehicle 
programs  are  to  be  achieved  in  an  operational  system. 


1 .  Failure  Correlation’ 

The  percentage  of  failures  which  are  likely  to  impact  more  than  one  engine  in  a  multi-engine  design  is 
of  critical  design  import.  This  percentage,  or  “failure  correlation  factor,”  must  be  well  below  20%  for 
reliability  oriented  design  approaches  such  as  engine  out  capability  to  be  effective.  The  lower  this 
percentage  the  more  effective  is  this  hueristically  pleasing  design  option.  Not  surprisingly  therefore, 
contractor  new  engine  design  characteristics  quote  extremely  low  factors  (as  low  as  1%).  Correlations  as 
low  as  1  out  of  100  do  not  seem  consistent  with  other  design  parameters  specified  (such  as  high  chamber 
pressures)  and  are  considerably  lower  than  factors  achieved  on  recent  engine  designs  (e.g.  17%  for  the 
shuttle  main  engine  test  program).  Finally,  there  did  not  appear  to  be  any  significant  consideration  given 
to  how  these  low  factors  would  be  achieved  in  practice. 

Recommendation  1  -  Failure  correlation  factors  are  key  reliability  parameters  to  Air  Force  launch 
vehicle  design  decision  makers.  Specific  studies  such  as  parameter  design  studies  which  address  what 
factors  have  been  achieved  in  the  past  and  what  design  trades  have  been  made  to  ensure  the  Ic'*'  factors  quoted 
will  be  evident  in  the  resulting  designs  appear  to  be  lacking.  It  is  recommended  that  these  investigations  be 
made  prior  to  the  selection  of  any  design  alternative. 

2.  Variability  Control 

The  currently  achieved  launch  vehicle  reliability  has  been  shown  by  this  investigation  to  be  below  0.95. 
However,  the  investigation  uncovered  examples  of  reliabilities  in  other  somewhat  similar  systems,  such 
as  tactical  missile  systems,  which  routinely  achieve  0.99  and  some  which  approach  0.999.  These  systems 
whose  operational  reliabilities  currently  meet  or  exceed  the  reliability  requirements  for  the  Air  Force 
advanced  launch  system  have  achieved  these  high  reliability  levels  through  the  use  of  intensive  variability 
control  programs.  While  it  would  be  inappropriate  to  make  any  direct  correlation  between  tactical  missiles 
and  launch  vehicles,  it  is  also  clear  from  a  review  of  the  failure  data  of  mature  launch  systems  that  the 
barrierto  significantly  higher  reliabilities  may  be  the  residual  variability  inherent  in  the  current  launch 
vehicle  production  process.  A  cursory  review  of  other  somewhat  comparable  products,  such  as  commercial 
jet  engines  and  gas  turbines  and  recent  Air  Force  variability  reduction  studies  performed  as  part  of  the  R&M 
2000  program,  provide  further  support  for  this  argument. 

Recommendation  2  -  Residual  variability  may  be  the  key  barrier  to  high  launch  vehicle  reliability 
achievement.  For  this  reason,  it  is  recommended  that  investigations  be  made  into  the  effectiveness  of 
specific  variability  control  programs  such  as  Taguchi  methods  or  alternatives.  These  investigations  should 
be  directed  at  determining  the  applicability  of  the  methods  to  the  launch  vehicle  production  process.  It  is 
further  recommended  that  some  specific  program  for  variability  control  be  included  throughout  all  phases 
of  the  advanced  launch  system  program. 


*  The  definition  cited  here  ib  broader  than  that  used  traditionally  by  propulsion  system  designors  See  Appendix  A  1  for 
discussion  of  the  difference 
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3.  Reusability 


Reusability  is.  on  the  surface,  a  design  goal  of  significant  program  benefit  However,  the  benefits  of 
reusabiity  are  significantly  compromised  it  the  reliability  of  an  engine  is  adversely  affected  by  the 
requirement.  Besides  the  direct  costs  involved  in  developing  a  reusable  design,  there  also  appears  to  be 
significant  indirect  costs  which  are  required  to  maintain  reliability  in  a  reusable  design.  For  example, 
reusability  by  its  very  nature  tends  to  decrease  the  production  run.  When  production  runs  are  decreased, 
investments  in  automated  production  equipment  become  less  economical  and  the  production  process 
therefore  tends  to  become  more  prototypical.  Prototypical  production,  especially  of  complex  equipment, 
increases  the  problems  associated  with  variability  control  and  therefore  substantial  postproduction  testing 
may  be  required  to  ensure  high  reliabilities.  A  good  example  of  such  an  indirect  impact  on  reusability  was 
seen  at  the  Rocketdyne  SSME  production  facility  in  Canoga  Park,  California. 

Recommendation  3  -  Reusability  has  been  shown  to  have  indirect  and  potentially  nogaiive  impacts  on 
the  achievement  of  high  reliabilities  at  reasonable  cost.  The  indirect  impacts  of  reusability  on  reliability 
and  cost  through  such  mechanisms  as  variability  control  problems  should  be  thoroughly  investigated  and 
the  results  of  this  investigation  included  in  the  programmatic  decision  making  related  to  reusability. 

4.  Risk  Management 

Achievement  of  high  operational  reliabilities  in  such  areas  as  nuclear  power  plant  safety  systems  have 
been  significantly  supported  by  a  continually  active  program  that  attempts  to  identify  the  risks  to  reliable 
operation  and  to  address  them  according  to  their  importance.  Such  a  risk  management  program  has  been 
investigated  and  recommended  by  NASA  SRM  &  QA  for  future  projects,  but  it  is  not  clear  whether  a  risk 
management  orogram  is  planned  for  the  acquisition  of  advanced  launch  systems 

Recommendation  4  -  The  Air  Force  should  investigate  the  advisability  of  incorporating  a  risk  manage¬ 
ment  program  as  an  integral  part  of  any  launch  system  program 

5  Reliability  Performance  Indicators  and  Trending 

For  high  reliability  programs  it  is  important  to  identify,  early  on,  symptoms  of  the  process  which  pre¬ 
sage  deterioration  in  performance.  This  has  been  done  in  the  financial  community,  in  the  commercial 
aircraft  community  and  in  the  nuclear  power  safety  community  by  the  development  of  a  set  of  "leading" 
performance  indicators  and  developing  performance  trends  based  upon  the  indicator  trajectories  through 
time.  If  such  a  set  of  indicators  could  be  developed  and  trended  for  the  Advanced  Propulsion  Systems 
program,  the  indicator  trajectories  might  provide  early  warning  of  problems  arising  during  development 
and  operation.  This  early  warning  could  provide  the  time  required  to  institute  corrective  action  before 
actual  program  reliability  performance  is  affected. 

Recommendation  5  The  Air  Force  should  develop  as  part  of  advanced  propulsion  system  development 
programs  -i  •'.et  o?  potential  indicators  of  programmatic  reliability  performance.  This  indicator  set  should 
be  based  ot  ginaily  on  historical  information,  but  laterupdated  and  validated  as  advanced  propulsion  system 
development  programs  specific  informafion  becomes  available. 


6^  Reliability  Growth  Analysis 


In  all  oeveiopmental  systems  a  certain  degree  oi  reliability  growth  is  to  be  expected-  However,  program 
managers  need  to  know  the  pace  of  the  expected  growth  so  that  they  can  determine  if  the  program  is  likely 
to  meet  the  operational  reliability  goals  within  developmental  rime  constraints  An  understanding  of  the 
growth  process  is  therefore  essential  to  the  determination  of  the  proper  role  to  be  played  by  history  in  the 
forecasting  of  future  system  reliability  If  an  historical  failure  has  been  analyzed  and  its  cause  determined 
and  suitable  corrective  action  Is  implemented  to  prevent  its  recurrence,  it  is  recognized  that  it  would  have 
Its  probability  of  occurring  again  diminished  when  it  is  utilized  for  predicting  future  performance.  But  by 
how  much?  The  determination  of  how  much  each  failure  should  be  counted  is  important  in  orderto  establish 
the  proper  “calibration”  for  the  reliability  growth  characteristic  to  be  used  to  determine  how  well 
reliability  development  is  proceeding.  Several  approaches  have  been  developed  to  address  the  issue  of 
growth  Among  those  developed  are  the  early  works  of  Duane  at  GE,  that  of  David  Lloyd  of  TRW,  and  that 
developed  by  Dr  Yu  Shen  of  SAIC  as  part  of  this  study,  in  addition,  Bayesian  approaches  may  show  promise 
for  improved  growth  forecasting. 

Recommendation  6  -  Reliability  growth  forecasting  is  important  during  the  development  of  systems 
with  high  reliability  requirements  such  as  ALS.  Accurate  grovvth  forecasts  allow  program  managers  to 
determine  early  on  if  reliability  requirements  are  likely  to  be  met.  (This  is  especially  important  when 
program  economics  prohibit  extensive  development  test  flights  as  Is  the  case  v/ith  ALS).  Several  methods 
currently  exist  to  allow  for  forecasts  to  be  generated:  however,  further  development  is  required  to  assure 
that  a  reasonable  growth  forecast  is  developed  for  advanced  propulsion  system  development  programs.  It 
is  therefore  recommended  that  the  concept  of  reliability  growth  be  further  developed  as  it  applies  fo 
advanced  propulsion  system  development  programs. 


kurther  Recommended  Studies  -  The  recommended  studies  as  discussed  in  Section  3  0  are  judged  to  be 
somewhat  less  in  importance  than  the  Key  Recommendations  above.  Nonetheless,  the  following 
recommended  studies  could  have  a  significant  impact  on  reliability 

1 .  Detailed  Comparison  of  the  Methods  of  Secion  2.2 

2  PRACA'FRACA  Trending 

3  O.C  Curves  and  Reliability 

4  Top  Down  Analysis 

5.  Product  Design  FMEAs 
6  Manufacturing  Interfaces 


; 
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Appendix  A.1 


An  Investigation  of 
Historical  Failure  Correlation 
Using  the  Shuttle  SSME  Test  and 
Flight  History  as  an  Example 


;f) 


:viKOni;('Ti()N 


(livcn  the  current  state  ('I  nK.tct  ttigine  technology  there  exisL,  a  Unite  prohiifiility  ''!  :>  caULSirophic 
enitine  laiiure  (luring  a  vehu  le  Itiunch.  A  cauistruphic  enj’inc  I'aitnn'  is  cittisiderer)  one  in  Aaich  the  engn^e 
(Iik'n  not  sliui  ilosMi  in  a  contiolled  nvtr.ner  and  includes  iiiudiiirt'lled  lire,  explosion,  bre.tich  of  the  prcs.siirc 
Utillidary,  shrapnel,  or  a  combination  of  ihe.se.  (liven  that  an  engine  has  laded  caia,siro|)hically  in  Highl  an 
imir.edi.itc  criner  rn  k  loi  other  critical  hartlwaa’  in  the  vicinity  ol  itie  failed  cngitie.  l-’or  vehicles  configtired 
vsith  imiltiple  engines  n;  ti  clnstcr  the  (jtiestion  tieconie  whether  the  catastrophic  laiinrc  ol  one  engine  will 
result  m  the  catastropt.ic  lo,^  I'l  the  entire  engine  cluster. 

This  study  develops  the  correlalion  boiween  a  ealastrophie  failure  ol  a  Space  Sliuiiie  Main  F.ngine 
iSSMb)  and  the  [iropagatior.  of  that  laiiure  to  include  the  entire  SSMb.  diree  i-i.gine  cluster. 

■SSMl-;  l-All-LiRH  DA  l  ABASb 

i  he  SSMF-.  dat.ibaiJ.'  used  lor  this  siudv  consi.as  oi  ground  te-.t  and  llietu  dal;-.  Irtiia  M.i-  I'l. 
tfiroiiidi  April  7(1,  idSX.  ib''  d.iicd  as<'  mciiutes  l-fXti  records  iiclaihac  the  .S.s,Mb  exposure  history  b',  test 
aiii!  d.ile 


Sigtidictiiil  SSNifi  evciu.s  whiLh  have  resulted  tn  ’aiiiage  or  the  loss  ol  hardwtire  arc  classified  by 
N.AS.A  as  major  incidents.  Catastrophic  engine  events  arc  a  subset  of  the  events  classilicd  as  major 
mcidcrus.  A  caui.  trophic  event  is  one  nt  whith  its  (KXurrenee  in  Higfii  results  m  sigiiilieani  unetmtamed 
engine  damage  and  subscvjucnily  m  the  loss  of  cicw  and  veiue'e  nre  consideration  of  major  incidcnis  is  the’ 
basis  for  developing  the  coirelaiion  of  failure  factor  for  the  .s.S.Mfi. 

V.'ithm  the  loun  .iSMIi  e.x[H  rieiue  there  have  bi.'en  .Ri  maior  incidents.  (.)!  these  i2  of  the.se  inci'icnis 
h.ivc  been  during  single  engine  ground  tests,  which  miisi  be  judged  as  applicable  to  this  study  and  whether 
the  event  would  have  resulted  in  damage  to  an  engine  cluster,  'fhrcc  of  the  major  incidents  occurred  during 
three  engine  cluster  stadc  iiiu'gs  and  it  should  be  noted  dial  none  of  these  events  resulted  in  damage  to  the 
other  engines  in  the  cluster,  the  reniainmg  major  incident  (xteurred  ic  night  tluring  Ih?  S'l'.S-l  1  mission 
and  again  did  not  result  in  damage  t"  the  cluster,  however,  this  event  txcurred  late  in  ine  cn.r’inc  hum  with 
no  t onscquencc  to  the  engine  involved  and  the  engine  shut  down  at  its  piogrammed  time. 

Ine  iailtirc  events  included  m  the  s'udy  consider  till  .S.SMl-,  history  and  has  not  be'cn  tillered.  Smee  the 
nuiior  consideration  is  to  determine  the  probability  of  cluster  failure  given  an  engine  laiiure  has  occurred,  all 
ol  the  .S.SMF  exfx'rience  is  considered,  'ftius,  engine  configuration,  test  objectives,  pHiwer  level,  subsequent 
h.ir  iware  redesigns,  etc.,  arc  considered  irrelevant.  I  he  object  of  this  study  is  not  to  determine  whether  the 
.SSxll  .  w  ill  fail,  but,  g.ivcn  that  oiti  fias  failed,  m  determine  ilie  probability  of  an  entire  cluster  laiiure. 

I  adurc  Ciic.-ria  •  .‘sot  all  ol  ih('  (0  major  mcidetils  are  applicable  to  this  study  .Since  llic  sltidv 
involves  failures  winch  could  [loienli.dly  alfecl  or  dai::  other  engines  of  the  cluster  ati  appropriate 

vcrci  timg  criteria  is  ri.ijuired  m  order  to  determine  wimh  of  the  major  incidents  m  the  database  are 
applictible.  1  he  vrileria  m-ed  to  develop  ih<‘  correlation  of  failures  must  consider  only  those  events  which 
either  directly  damage  the  cluster  due  to  shrapnel,  for  ex.iniplc,  or  which  indirectly  rv’stdi  m  cluster  failure 
bv  disrupting  l'  e  liicl  linw  lo  all  engiiies 


'  I )  ir  I  '7'  the  ei'i  jr-e  ol  *h:s  siiidv  i  d<' repar,'  y  ;r.  the  de  run  lion  <  U  \orrei,ttio:i  tutor'  'v  ,is  disr  ov  er  ed  tx'l  vseioi  1 1  e 
propi :  h.  II  m  sysiere.  developiTs  u'.l  the  uilnu.ile  l.iiir' h  vi'hitte  useiv  i  (lere  the  t's  An  f  ore  e  I  The  p.opuisio 
yoo.;T'  i!e\'  l.’pers  hniit  (orrei.tled  t.niiu'ss  orilv  lo  *.  aCe-lioptuc  engine  t.nlures  whah  we.uld  prop, j, sue  lo  ,i  eiiisie 
tv  I  :!:  .V  i.sve.!  in  (hi‘  seetion  lt»  ilie  iiver  (.nUne  wtm  tr  t  inees  Ittss  (rf  n\oTt-  th.ir.  a  sineh’  engnu'  wticllier  v:,i 

( .leioroprin  failure,  nr, o  hedede. I  sriiil  down,  toes  of  bi.i  '.npplv,  niipro[K'r  dinio  veiiontig.  ,'l'  so  ih.ii  ili,- 
p.ivl  ..til  ',1  ort'i:  (.ipahili'v  e  leoj'.ir.itli/e.l  i\  a  mrrela.ed  l.nlnr-  In  tho  way.  ealavl'opltit  eiignie  (.iilnres  wtii,  !i 
pr'-piei:-  ,ire  ordv  .a  -.ijt'ee!.  a'hw-ii  an  intjtoti.ntl  .  ni  ■  of  at!  ton.d.tled  f.nliires 


The  following  criteria  were  used  to  determine  which  of  llie  major  incidents  should  be  considered 
applicable  for  this  study: 

Uncontrolled  SSME  Shutdown  -  The  event  occurred  in  such  a  way  that  the  SSME  controller  was  not  in 
control  of  the  shutdown  sequence.  That  is,  the  failure  mode  is  one  which  can  not  be  or  is  not  rcdline 
protected;  or  even  though  redline  protection  exists  and  may  have  been  activated,  the  action  of  the  controller 
is  insufficient  or  is  not  fast  enough  to  maintain  control  of  the  event. 

Uncontained  Hardware  Failure  -  The  failure  of  an  engine  component  results  in  uncontained  damage  or 
damage  propagation  to  other  major  components  such  as  in  the  case  of  an  uncontrolled  oxygen  fire  or  in  the 
event  of  an  explosion  in  which  debris  and  shrapnel  cause  subsequent  hardware  failures.  Of  primary  concern 
to  the  surrounding  engines  of  the  cluster  is  breach  of  the  engine  pressure  boundary  and  the  release  of  hot 
gas,  fire  or  shrapnel. 

Retirement  of  an  Engine  from  Further  Testing  -  Due  to  the  limitations  in  some  of  the  failure 
descriptions  additional  data  is  required  to  make  a  judgement  as  to  the  applicability  of  an  event.  One  readily 
available  piece  of  information  is  the  subsequent  disposition  of  an  engine  following  an  event  Retirement  of 
an  engine  from  the  test  program  is  generally  a  good  indication  that  the  damage  to  the  engine  resulting  from 
the  incident  was  severe  enough  to  preclude  ise  of  the  hardware  in  the  future.  It  is  recognized,  however,  that 
this  is  not  a  definitive  indicator  of  severe  engine  damage  since  engines  are  retired  as  a  function  of  their  firing 
exposure  as  well  as  according  to  damage  resulting  from  testing. 

The  above  criteria  are  thus  used  to  determine  if  a  major  incident  should  be  considered  an  applicable 
failure  to  consider  in  developing  the  correlation  of  failure  factor.  Once  the  event  is  judged  applicable  a  final 
criteria  is  used  to  determine  if  there  is  the  potential  for  damage  to  the  engine  cluster. 

Damage  to  Surrounding  Hardware  -  Only  in  the  flight  configuration  and  in  the  three  engine  cluster 
static  firing  is  direct  indication  of  damage  to  an  adjacent  engine  available.  Thus,  for  single  engine  test 
firings  an  indirect  indication  of  propagation  of  the  failure  to  adjacent  engines  is  damage  to  surrounding 
hardware,  particularly  the  test  stand  itself.  The  extent  of  damage  to  the  test  stand  is  generally  available  and 
provides  a  good  indication  of  the  severity  of  the  failure. 

Due  to  the  limited  data  available  at  the  time  of  this  study,  for  incidents  in  which  the  available  failure 
description  is  not  sufficient  to  determine  the  extent  of  damage  to  the  surrounding  hardware  one  available 
piece  of  data  is  the  test  stand  down  time  following  an  event.  Note  that  a  long  down  time  following  an 
event  is  not  necessarily  an  indication  of  damage  to  the  test  stand,  but  may  indicate  a  lack  of  available  test 
hardware,  schedule  considera  ions,  ongoing  failure  investigation,  or  the  installation  of  the  next  lest  engine. 
However,  a  short  down  time  following  an  event  is  a  definite  indication  of  little  or  no  damage  to  the  test 
stand. 

If  essentially  no  damage  to  surrounding  hardware  resulted  from  the  incident  then  propagation  to  the 
cluster  is  not  considered  likely.  If  damage  was  done  to  the  surrounding  hardware  or  the  test  stand  the 
severity  of  the  event  is  considered  and  a  judgement  is  made  as  to  whether  ‘he  event  would  propagate  to  the 
cluster.  Events  in  which  the  effect  on  adjacent  engines  is  not  clear  are  ranked  as  noi  propagating  to  the 
cluster. 

Application  of  this  criteria  thus  provides  a  framework  wiihi.:  which  to  judge  the  36  major  incidents  as 
to  whether  they  are  applicable  to  this  study.  Given  that  a  failure  is  considered  applicable  for  final 
consideration,  and  based  on  the  severity  of  the  post  event  damage,  it  is  ranked  as  to  whether  the  event  would 
propagate  to  a  cluster  failure. 


SSME  FAILURE  SUMMARY 


There  are  a  total  of  36  major  incidents  in  the  SSME  database  which  were  evaluated  for  the  purposes  of 
this  study.  Of  these,  18  are  considered  to  be  applicable  to  this  study  in  that  they  meet  the  criteria  described 
previously.  They  are  indicated  in  the  failure  summaries  by  an  astrnlc  (*)  following  the  ie«>  number.  Of 
these  3  major  incidents  are  considered  failures  which  would  have  propagated  to  adjacent  hitrdware  and  would 
result  in  failure  of  the  entire  cluster.  Thc.se  arc  indicati.d  by  an  additional  astcrik  (**). 

Table  1  summarizes  all  36  of  the  major  incidents  considered  in  this  study.  In  addition  to  providing 
information  about  the  event,  such  as  test  number,  test  date,  engine  number,  configuration,  the  table  details 
the  results  of  implementing  the  criteria  evaluation. 


SSME  MAJOR  INCIDENT  DESCRIPTIONS 

The  SSME  major  incidents  are  discussed  chronologically  in  the  following  paragraphs.  The  event  is 
described  and  the  rationale  for  its  use  in  developing  the  correlation  of  failure  factor  is  discussed. 

Test  901-110*  -  During  test  901-110  (UCR  A005353)  rubbing  in  the  HPOTP  of  engine  0003  caused 
failure  of  the  primary  lox  seal  and  an  uncontained  engine  fire.  The  rcdline  cut  was  set  by  a  HPOTP 
overspccd.  This  failure  resulted  in  an  increase  of  the  intermediate  seal  purge  pressure,  revised  redlines,  and  a 
design  change  from  a  lift-off  seal  to  a  labyrinth  seal  design. 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  engine  damage.  The  engine  was 
retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the  study.  Since  there  is  no 
indication  of  significant  damage  to  the  test  stand  in  the  available  documentation  this  failure  would  not  have 
propagated  to  an  engine  cluster  failure. 

Test  901-133  ■  Test  901-133  (UCR  A005072)  experienced  a  buru-through  of  the  FPB  wall  during 
testing  of  engine  0(X)4.  The  test  was  cut  by  an  observer.  This  failure  resulted  in  uncontrolled  engine 
shutdown  and  damage  to  the  engine.  The  engine  survived  this  event  and  was  used  for  later  testing.  Since 
the  engine  was  not  severely  damaged  and  there  is  no  indication  of  test  stand  damage  (operational  again  in  6 
days)  this  failure  is  not  considered  applicable  to  the  study. 

Test  901-136*  -  A  failure  of  engine  0004  HPOTP  turbine  end  bearings  occurred  during  test  901-136 
(UCR  A005350)  which  resulted  in  an  uncontained  engine  fire.  The  test  was  cut  by  an  observer.  The  failure 
resulted  in  design  changes  to  heavy  duty  209  series  bearings,  improved  bearing  mounts  and  modifications  to 
the  coolant  circuit  orifice. 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  engine  damage.  The  engine  was 
retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the  study.  Since  there  is  no 
iiidication  of  .significant  damage  to  the  test  stand  in  the  available  documentation  this  failure  would  not  have 
propagated  to  an  engine  cluster  failure. 

Test  902-09.5  -  During  test  902-095  of  engine  0002  (UCR  A008624)  a  leading  edge  airfoil  crack 
resulted  in  blade  failure,  however,  the  engine  damage  was  contained.  The  rcdline  for  the  test  cut  was  from 
the  HTO  IP  radial  accelerometer.  Design  and  process  changes  have  been  implemented  to  increase  blade  life. 

This  failure  resulted  in  uncontrolled  engine  shutdown,  however,  damage  to  the  engine  was  contained. 
The  engine  survived  this  event  and  was  used  for  later  testing.  There  is  no  indication  of  damage  to  the  test 
stand  (operational  within  1 1  days)  in  the  available  d'x;umentation.  Tliis  failure  is  not  considered  applicable 
to  this  study. 

Test  901-147*  -  HPFTP  turbine  blade  failure  of  engine  0103  during  test  901-147  (UCR  A005094) 
resulted  in  a  rapid  power  loss,  reduced  fuel  flow  and  LOX  nch  operation  of  the  engine.  The  test  was  cut  by 
the  HPOTP  radial  accelerometer  rcdline.  As  a  result.  HPFTP  turbine  blade  and  damper  redesigns  were 
initiated. 


This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontaincti  engine  damage.  The  engine  was 
retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the  study.  Since  there  is  no 
indication  of  significant  damage  to  the  test  stand  (operational  within  11  days)  in  the  available 
dccumcntation  this  failure  would  not  have  propagated  to  an  engine  cluster  failure. 

Test  901-173*  -  Main  injector  lox  post  failure,  cut  off  by  HPFTP  turbine  discharge  temperature. 

This  failure  resulted  in  unconuolled  engine  shutdown  and  uncontained  engine  damage.  The  engine  was 
retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the  study.  Since  there  is  no 
indication  of  significant  damage  to  the  test  stand  in  the  available  documentation  this  failure  would  not  have 
propagated  to  an  engine  cluster  failure. 

Test  901-181  -  Main  injector  lox  post  failure  occurred  during  test  901-183  (UCR  A018710)  of  engine 
0002.  Cutoff  was  by  the  HPFTP  turbine  radial  accelerometer.  The  failure  resulted  in  the  incorporation  of 
lox  post  flow  shields. 

This  failure  resulted  in  uncontrolled  engine  shutdown,  however,  damage  to  the  engine  was  contained. 
The  engine  survived  this  event  and  was  used  for  later  testing.  There  is  no  indication  of  damage  to  the  test 
stand  in  the  available  documentation.  This  failure  is  not  considered  applicable  to  this  study. 

Test  902-112  -  During  test  902-1 12  (UCR  AO  19208)  of  engine  0101  on  June  10,  1978  a  blockage  of 
the  fuel  supply  resulted  in  a  HPFTP  turbine  overspeed.  The  redline  cut  for  the  test  was  the  HPFTP  turbine 
speed. 

This  failure  resulted  in  uncontrolled  engine  shutdown,  however,  damage  to  the  engine  was  contained. 
The  engine  survived  this  event  and  was  used  for  later  testing.  There  is  no  indication  of  damage  to  the  test 
stand  in  the  available  documentation.  This  failure  is  not  considered  applicable  to  this  study. 

Test  902-120  *  -  During  test  902-120  (UCR  A005745)  of  engine  0101  structural  failure  and  rubbing 
of  a  capacitor  position  instrumentation  sensor  in  the  HPOTP  resulting  in  engine  fire  and  uncontained 
engine  damage.  The  test  was  cut  by  the  PBP  axial  accelerometer  redline.  The  capacitance  device  is  no 
longer  u.scd. 

This  failure  was  uncontrolled  resulting  in  destruction  of  the  engine  and  damage  to  the  test  stand. 
Although  the  capacitance  device  is  no  longer  used  it  does  demonstrate  the  result  of  a  HPOTP  failure, 
subsequent  fire  and  shrapnel.  This  failure  is  considered  applicable  to  the  study  and  although  some  damage 
was  noted  to  the  test  stand  it  would  not  have  propagated  to  a  cluster  failure. 

Test  902-132  -  During  test  902-132  (UCR  A(X)5780)  of  engine  0006  f  ^curred  as  the  result  of 

the  MOV  being  clocked  wrong.  The  test  was  cut  by  the  low  chamber  pre _  ..jline.  The  failure  resulted 

in  a  guideline  for  the  first  test  of  a  new  engine  to  be  only  1 .5  seconds. 

This  failure  resulted  in  uncontrolled  engine  shutdown,  however,  damage  to  the  engine  was  contained. 
The  engine  survived  this  event  and  was  u.scd  for  later  testing.  There  is  no  indication  of  damage  to  the  test 
stand  in  the  available  documentation.  This  failure  is  not  considered  applicable  to  this  study. 

Test  901-222  -  During  test  901-222  (UCR  A017972)  of  engine  0007  a  failure  occurred  as  a  result  of 
undetected  internal  HEX  damage  caused  during  arc  welding  which  resulted  in  an  engine  fire.  HEX  coil 
leakage  resulted  in  an  unconiained  engine  fire  and  ocvere  damage.  The  test  was  cut  by  the  HEX  discharge 
pressure  redline.  The  leak  was  caused  by  vail  thinning  of  the  HEX  coil  which  occurred  during  welding  and 
reaming  operations.  The  failure  resulted  in  increased  HEX  proof  test  requirements. 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  damage  to  the  engine.  However, 
the  engine  survived  this  event  and  was  used  for  later  testing.  There  is  no  indication  of  significant  damage  to 
the  engine  in  the  available  documentation  so  that  this  failure  is  not  considered  applicable  to  this  study. 
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Test  901-225*  -  During  test  901-225  (UCR  A01816)  of  engine  2001  flow  induced  fretting  of  the 
MOV  sleeve  resulted  in  autoignition,  fire  and  explosion.  The  test  was  cut  by  the  HPFTP  turbine  discharge 
lem|X'iaiiire  redlinc.  The  incident  resultcxl  in  several  design  mixlificutions  (ECP's  248,  258,  271)  including 
a  ralesigned  MOV  inlet  siccvc/sea!  area  and  the  incor]X)ralit)n  of  a  vibration  rcdliiKc 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  engine  damage.  The  engine  was 
retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the  study.  Since  there  is  no 
indication  of  significant  damage  to  the  test  stand  in  the  available  documentation  this  failure  would  not  have 
propagated  to  an  engine  cluster  failure. 

Test  750-041*  -  During  testing  of  engine  0201  on  May  14,  1978,  the  steerhom  tube  fractured  due  to 
high  structural  loading  (UCR  A006466).  The  test  was  cut  by  the  HPFTP  turbine  discharge  temperature 
redline.  The  failure  resulted  from  structural  fatigue  associated  with  high  strain  accelerations  attributed  to 
exhaust  gas  flow  shock  phenomena  during  start  and  cutoff  transients  causing  failure  of  the  flight  nozzle 
steerhom  fuel  distribution  manifold.  The  failure  resulted  in  fuel  starvation  and  loss  of  mixture  ratio  control. 
Engine  damage  as  a  result  of  the  high  temperature  was  extensive  and  included  the  HPFTP,  HPOTP,  nozzle, 
main  injector  and  the  high  pressure  fuel  distribution  manifold  steerhom  damage.  The  failure  resulted  in 
redesign  of  the  fcedline  assembly  and  nickel  plating  of  steerhom  tees. 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  engme  damage.  The  engine  was 
retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the  study.  Since  there  is  no 
indication  of  significant  damage  U)  the  test  stand  in  the  available  documentation  this  failure  would  not  have 
propagated  to  an  engine  cluster  failure. 

Static  Firing  6-01  -  During  Static  Firing  6-01  (UCR  A0()9437)  high  cycle  fatigue  resulted  in  the 
failure  of  engine  2002  MFV  housing,  fuel  leakag"  and  fire.  The  test  was  cut  by  the  HPFTP  turbine 
discharge  temperature  redlinc.  The  MFV  housing  crack  extended  from  the  cap  flange  to  the  outlet  flange. 
The  failure  resulted  in  housing  design  modifications  (ECR  09738).  Rework  housing  cam  bearing  cutout  to 
reduce  stress  ci'^ncenuation. 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  unconiained  damage  to  the  engine  during  a 
three  engine  cluster  firing.  The  failure  resulted  in  fuel  leakage  and  fire  during  the  ground  test  In  flight,  the 
chance  of  fire  is  a  function  of  the  available  oxygen  which  is  altitude  dependent.  There  is  no  indication  cf 
significant  damage  to  the  other  engines  or  to  the  test  stand.  The  engine  survived  this  event  and  was  used  for 
later  testing.  Damage  to  the  engine  was  not  significant  and  this  event  is  not  considered  applicable  to  the 
study. 

Stati,.  Firing  6-03*  -  Testing  of  engine  0006  (engine  position  3)  during  a  cluster  firing  on  November 
4,  1979,  resulted  in  a  nozzle  steerhom  rupture  (UCR  A010997).  The  test  was  cut  by  the  HPOTP 
intermediate  seal  purge  pressure  redlinc.  The  failure  was  traced  to  u.sc  of  an  incorrect  weld  filler  wire  during 
fabrication.  The  failure  resulted  in  the  implcmcntauon  of  stringent  weld  wire  audits.  Added  nickel  plating 
to  tec  weld  joints  and  redesigned  to  incorporate  steam  loop 

7  his  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  damage  to  the  engine  during  a 
thiee  cngi.'ic  duster  firing.  1  he  engine  was  rctircil  following  this  event.  Thus,  this  failure  is  considered 
appluabie  io  die  study.  Since  there  is  no  indication  of  significant  damage  to  the  adjacent  engines  or  to  the 
test  stand  in  the  available  documentation  this  failure  did  not  propagate  to  an  engine  cluster  failure. 

Test  902-198*  -  Main  injector  lox  post  failure  resulted  during  test  902-198  of  engine  2004.  Cutoff 
was  by  the  HPOIP  turbine  discharge  temperature  redlinc.  The  failure  resultul  in  a  change  from  the  exisung 
injectors  in  Haynes  188  lox  post  tips  in  rows  10  through  13.  New  injectors  have  all  Haynes  188  lox 
posts. 

This  failure  resulted  in  iinconUollcd  engine  shutdown  and  uncontained  engine  damage.  Tlie  engine  was 
retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the.  study.  .Since  there  is  no 
indication  of  significant  damage  to  the  test  sund  ir:  the  available  documentation  this  failure  would  not  have 
propagaU'd  to  an  engine  cluster  failure. 


Test  901-284*  -  During  test  901-284  (UCR  A015786)  of  engine  0010  a  malfunctioning  MCC 
chamber  pressure  lee  jel  caused  the  controller  to  lower  the  HPOTP  output  and  resulted  in  HPOTP  fire  and 
external  damage.  The  test  was  cut  by  HPOTP  accelerometer  rcdlincs.  The  fad-'re  resulted  in  installation  of 
a  positive  retainer  in  Pc  port  flange  to  prevent  Ice  jet  from  backing  out. 

This  failure  was  uncontrolled  resulting  in  destruction  of  the  engine  and  damage  to  the  test  stand. 
Although  redesigns  have  been  implemented  this  failure  does  demonstrate  the  lesult  of  a  HPOTP  failure, 
subsequent  fire  and  shrapnel.  This  failure  is  considered  applicable  to  the  study  and  although  some  damage 
to  the  test  stand  was  noted,  it  would  not  have  propagated  to  a  cluster  failure. 

Static  Firing  10-01  -  During  Static  Firing  10-01  (UCR  A015391)  of  engine  0006  a  bum-through  of 
the  FPB  liner  and  housing  occurred.  The  test  was  cut  by  an  observer.  The  failure  resulted  in  the  addition  of 
a  molybdenum  in.sulalor  and  new  divergent  ring  liner. 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  damage  to  the  engine  during  a 
three  engine  cluster  firing.  The  failure  resulted  in  external  leakage  of  hot  gas  from  the  FPB  bum  through. 
There  is  no  indication  of  significant  damage  to  the  other  engines  or  to  the  test  stand.  The  engine  survived 
this  event  and  was  used  for  later  testing.  Damage  to  the  engine  was  not  significant  and  this  event  is  not 
considered  applicable  to  the  study. 

Test  901-307*  -  During  test  901-307  of  engine  0(X)9  a  failure  occurred  in  which  the  FPB  injector 
experienced  a  bum-through.  This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  engine 
damage.  The  engine  was  retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the 
study.  Since  there  is  no  indication  of  significant  damage  to  the  lest  stand  in  the  available  documentation 
this  failure  would  not  have  propagated  to  an  engine  cluster  failure. 

Test  750-140  -  Main  injector  lox  post  failure  resulted  during  test  750-140  of  engine  01 10.  This  failure 
resulted  in  a  controlled  engine  shutdown  and  contained  engine  damage.  The  engine  survived  this  event  and 
was  used  for  later  testing.  Thus,  this  failure  is  not  considered  applicable  to  the  study  since  it  resulted  in  a 
controlled  engine  shutdown  and  minor  damage. 

Test  901-331  *  -  During  testing  of  engine  2108  on  July  15,  1981,  injector  post  and  engine  damage 
was  caused  by  material  failure  of  the  lox  posts  (UCR  A013786).  The  test  was  cut  by  the  HPOTP  turbine 
discharge  temperature  redline.  jiie  failure  resulted  in  the  application  of  new  materials  for  the  lox  posts  and 
the  addition  of  flow  shields. 

This  failure  resulted  in  uncontrolled  engiric  shutdown  and  uncontained  engine  damage.  The  engine  was 
retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the  study.  Since  there  is  no 
indication  of  significant  damage  to  the  test  stand  in  the  available  documentation  this  failure  would  not  have 
propagated  to  an  engine  cluster  failure. 

Test  75G- 148  -  Main  injector  lox  post  failure  resulted  during  test  750-148  (UCR  A016031)  of  engine 
0110.  Cutoff  was  by  the  HPOTP  turbine  discharge  temperature  redline.  The  failure  resulted  in  the 
implementaiion  of  all  Haynes  188  lox  posts  and  extended  flow  shields. 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  damage  to  the  engine.  However, 
the  engine  survived  this  event  and  was  used  for  later  testing.  There  is  no  indication  of  significant  damage  to 
the  engine  in  the  available  documentation  .so  that  this  failure  is  not  considered  applicable  to  this  study. 

Test  902-249*  -  The  HPFTP  inlet  volute  of  engine  0204  failed  during  test  902-249  (UCR  AO  18288) 
as  a  result  of  non-standard  fuel  prebumer  injector  modifications  which  produced  a  hot  FPB  core.  A  group  of 
plugged  FPB  LOX  posts  created  a  hot  spot  and  dclaminalion  of  the  Ni/Renc  first  stage  blade  tip  seal, 
resulting  in  blade  failure,  shrapnel  and  inlet  volute  rupture.  The  test  was  cut  by  the  HPFTP  radial 
accelerometer  redline.  The  resulting  fire  destroyed  both  turbines,  the  po'^erhead,  MCC  and  nozzle.  This 
failure  resulted  in  a  design  change  to  all  Rene  blade  tip  seals  and  prebumer  modification  restrictions  to 
preclude  a  "hot  core." 
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This  laiiurc  was  uacuniroiicd  rcsiikinj:;  in  ticsiruciion  of  die  engine  and  damage  to  the  test  stand. 
Allhough  fixes  have  been  implemented  this  failure  docs  demonstrate  the  result  of  turbine  blade  failure  and 
subsequent  fire  aiu!  >hr  ipne!  i  r.:s  lailure  is  eonsidered  applieabie  to  the  siudy  and  although  some  damage 
to  die  test  sLind  was  noted,  it  wou'd  riot  have  preipagaied  to  a  fluster  failure. 

Test  9CM-3T0  -  .A  HPR’P  turbine  discharge  sheet  metal  failure  of  weld  56  during  test  901-340  (UCR 
.A0i8305)  of  engine  0107  caused  turbine  How  blockage  and  residicd  in  contained  turbopump  damage.  The 
test  wtis  cut  by  exceeding  the  tfPF'rP  turbine  discharge  temperature  redline.  The  failure  resulted  in  weld 
prep  redesign  to  achieve  KX)'"';  penetration  and  the  inclusion  of  x-ray  inspection  where  accessible. 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  damage  to  the  engine.  However, 
the  c  iigiiie  suiMveu  tins  esent  and  was  used  for  later  tes'ing.  Tficre  is  no  indication  of  significant  damage  to 
the  engine  in  the  available  divuinoniation  so  that  this  failure  is  not  considered  applicable  to  this  study. 

Test  750-i()(7*  -  .A  blockage  of  the  fuel  supply  a.s  a  result  of  ice  formation  occurred  during  test  750- 
160  (UCR  .A0l6ri45)  of  engine  01 10  which  burned  both  turbines,  HGM,  main  injector,  MCC  and  nozzle. 
The  test  was  cut  by  the  HPFIP  turbine  discharge  temperature  redline.  The  failure  resulted  in  revised  engine 
drying  priKCthires  tu  .''cmovc  a!)  water  following  EDM  operations 

This  failure  resulted  in  iiiieonirolled  engine  shutdown  and  uncontained  engine  damage.  The  engine  was 
retired  followhng  this  c'cnt.  I  hus,  this  failure  is  considered  applicable  to  the  .Uudy.  Since  there  is  no 
indication  of  significant  damage  to  the  test  stand  in  the  available  docnmcntaiK'n  this  lailure  would  not  have 
propagated  to  an  engine  cluster  failure. 

Test  90 1  -  -  A  new  redesigned  Kai.sci  cap  nut  allowed  hot  gas  icakiagc  into  the  coolant  circuit 

during  test  901-364  (UCR  AlXXs-SlO;  of  engine  ?0!.'  svhich  resultcxi  in  bearing  failure,  uncontained  engine 
damage  and  complete  destruction  of  the  engine.  The  lailure  produced  significant  shrapnel  and  test  stand 
damage  with  Ue  engine  uliimaicly  septirating  from  the  test  stand.  A  redline  cut  was  set  by  the  PBP  radial 
accelerometer.  The  icxlcsigncd  nut  was  tested  no  further  and  all  engiin's  continue  to  asc  the.  original  design. 

This  failure  was  uncontrolled  rc.sulting  in  destnict-on  of  the  engine  and  damage  to  the  test  stand. 
Although  this  hardware  configuration  is  no  longer  in  use  it  does  demonstrate  the  result  of  a  loss  or 
disruption  of  coolant  flow  to  ihc  lurbomachincrv  .  This  failure  is  considered  applicable  to  the  study  and 
would  have  pr'ipe!g:itci.1  ti'  a  •.lusicr  failure. 

Test  750-165  -  During  test  7'0-165  of  engine  0107  the  OPOV  cxponenced  seal  erosion.  The  test 
conunued  for  the  pnigrammcd  duration.  T  his  failure  resulted  in  a  controlictl  engine  shutdown  and  contained 
engine  damage.  The  engine  survived  this  event  and  was  used  for  later  ic.sting.  Thus,  this  failure  is  not 
ci'iiMdercd  applicable  to  the  study  since  it  resulted  in  a  controlled  engine  shutdown  and  minor  damage. 

Tc:-’i  750-168  During  lest  750  loH  of  engine  0107  ASl  hlowbaek  cau.scd  post  cut-off  OPOV  ball  seal 
leakage  Insrseelisv;  rewalcvi  I'le  wa.s  em-  ked  ir.d  cnxk'd.  Thr  tea  ...  '..fauted  through  the  programmed 
fiur  iron  TTc  v '  i!  i  v,'(j:  ,  nee  ,nd  jairee  ivtjieri’mcuts  were  revival. 

;  ae  »■!?■, u'.’e  I  "i  t.  l•'..■:l!rr■'ed  engine  snu-.dnwn  ar.-T  eoiiuilncu  oiiginc  damage.  The  engine  was 

rcdfcd  iolli'wiue  this  ■.‘v-.  n;,  'lev,  thn  failu'c  is  not  ( (insider.xi  applicable  to  ihc  study  since  it  resulted  in  a 
eontj'ificd  cpionc  si.iiS.’own  nii’ioi  damage. 


Tesi  75(J- 175**  -  TJie  rilTi  duei  of  engine  220H  was  nnKiiilcd  with  the  mslaiiation  of  an  ultrasonic 
flow  meter.  During  test  750-175  (UCR  AO!  1506)  a  failure  resulted  in  lOXiTP  overspeed  to  44,000  rpm 
(nornmal  2  b.ifX)  rjnni  causing  disc  rupture,  pump  fire,  shrapnel  and  extensive  engine  damage.  The  test  was 
cut  by  the  I’RP  .Kcelero.ncicr  redline.  T 'x  i.iilure  occu.Tcd  at  th.e  bra.'cd  join;  I'otwccn  the  prototype 
ultrasonic  nowmo'cr  and  the  high  pressure  cxidi/cr  turbopump  discharge  duct  and  resulted  in  dcstniclion  of 
the  HTO  due  I,  the  MP( )  I  P.  [he  ilt'i'd  urd  ih-  r  oniioller.  ITiriher  use'  of  ultrasonic  iTow'  rnetcr  on  HPO  duct 
was  elimi'i.-i!i.d 


This  failure  was  uncontrolled  resulting  in  destruction  of  the  engine  and  damage  to  the  test  stand. 
Although  this  hardware  configuration  is  no  longer  in  use  it  docs  dcmonsiraic  the  result  of  a  loss  of  oxidizer 
flow  and  subsequent  HPOTP  turbine  overspeed,  lox  fire  and  shrapnel.  This  failure  is  considered  applicable 
to  the  study  and  would  have  propagated  to  a  cluster  failure. 

STS- 1 1  One  major  incident  acti..i!ly  ixtcurred  in  flight  during  STS-11  and  was  obviously  not 
catastrophic.  During  the  flight  the  ASl  chamber  of  engine  2015  experienced  erosion  due  to  a  drill  chip 
lodged  in  an  ASI  orifice.  Engine  cut-off  was  by  programmed  duration  The  failure  resulted  in  the  addition 
of  an  ASI  fuel  filter  to  the  supply  line. 

The  engine  bum  continued  for  the  programmed  duration.  This  failure  resulted  in  a  controlled  engine 
shutdown  and  contained  engine  damage.  Although  there  was  damage  to  the  engine  itself,  there  was  no 
damage  to  the  adjacent  engines.  The  engine  survived  this  event  and  was  used  for  later  testing.  Thus,  this 
failure  is  not  considered  applicable  to  the  study  since  it  resulted  in  a  conuolled  engine  shutdown  and  minor 
damage. 

Test  901-436*  -  .A  hydrogen  leak  during  lest  901-436  (UCR  A013338)  of  engine  0108 
overpressurized  the  HPFTP  coolant  cavity  and  resulted  in  a  coolant  liner  failure  and  major  engine  damage, 
destroying  both  turbines,  the  powerhead,  MCC  and  nozzle.  A  redline  cut  was  issued  due  to  high  HPFTP 
turbine  discharge  temperature.  Design  changes  were  incorporated  to  decrease  hot  gas  leakage  into  tlie 
coolant  circuit,  a  coolant  liner  pressure  redline  was  implemented  and  inspection  requirements  were  increased 
on  the  coolant  liner  close-out  weld. 

This  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontained  engine  damage.  The  engine  was 
retired  following  this  event.  Thus,  this  failure  is  considered  applicable  to  the  study.  Since  there  is  no 
indication  of  significant  damage  to  the  test  stand  in  the  available  documentation  this  failure  would  not  have 
propagated  to  an  engine  cluster  failure. 

Test  901-468  -  During  test  901-468  (UCR  A014585)  of  engine  0207  a  stress  concentration  at  the 
welded  boss  caused  the  FPB  manifold  to  crack  resulting  in  fire  and  miajor  engine  damage.  This  failure 
resulted  in  uncontrolled  engine  shutdown  and  uncontained  engine  damage.  The  engine  was  retired  following 
this  event.  Thus,  this  failure  is  considered  applicable  to  the  study.  Since  there  is  no  indication  of 
significant  damage  to  the  test  stand  in  the  available  documentation  this  failure  would  not  have  propagated  to 
an  engine  cluster  failure. 

Test  750-259**  -  A  failure  of  the  MCC  outlet  manifold  weld  occurred  during  test  750-259  (UCR 
AO  157 13)  of  engine  2308  and  resulted  in  complete  engine  destruction.  The  failure  resulted  in  shrapnel  and 
test  stand  damage  with  the  engine  ultimately  separating  from  the  lest  stand.  The  lest  was  cut  by  the 
HPFTP  accelerometer  and  turbine  discharge  temperature  redlines.  Failure  investigation  determined  that  the 
MCC  outlet  assembly  had  ruptured  due  to  fatigue  or  undetected  flaws.  The  failure  resulted  in  improved 
inspection  of  the  assembly,  redesign  of  the  outlet  neck  and  spliuer  and  implementation  of  life  limitations 
on  other  MCC’s. 

This  failure  resulted  in  uncontrolled  engine  shutdown,  destruction  of  the  engine  and  significant  damage 
to  the  te.st  stand.  This  failure  is  considered  applicable  to  the  .study  and  would  have  propagated  to  an  engine 
clastcr  failure. 

Test  750-285  -  A  Class  1  leak  was  experienced  during  test  750-285  at  the  number  8  feedline.  Engine 
0210  (May  21,  1987)  experienced  a  fccdlinc  crack  at  the  saddle  bracket  slop  weld.  The  lest  was  cut  by  a 
facility  ambient  air  thermocouple.  The  failure  resulted  in  improved  feedline/saddle  bracket  and  weld 
interference  in.speclions. 

This  failure  resulted  in  unconuolled  engine  shutdown  and  uncontained  damage  to  the  engine.  However, 
the  engine  survived  this  event  and  was  used  for  later  testing.  There  is  no  indication  of  significant  damage  to 
the  engine  in  the  available  documentation  so  that  this  failure  is  not  considered  applicable  to  this  study. 

Test  902-427  -  During  testing  of  engine  2KX)  on  June  26,  1987  at  the  NSTL  A-2  lest  stand  the  low 
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pressure  fuel  pump  discharge  duct  experienced  a  corrosion  induced  leak  and  subsequent  external  hydrogen 
fire.  The  test  was  cut  by  an  ambient  powerhead  icmpcralurc  redlinc.  To  preclude  the  possibility  of 
corrosion  induced  failures,  flight  engines  will  use  low  pressure  fuel  turbopump  discharge  ducts  with  low 
calendar  life  and/or  hotfirc  time  (DAR  2074).  .Sub.scqucnt  flight  engines  will  use  corrosion  protected  low 
pressure  fuel  lurbopump  dischttrge  ducts  (ECP  977). 

This  failure  resulted  in  uncontrolled  engine  shutdown  ,  however  the  damage  to  the  engine  was 
contained.  The  engine  survived  this  event  and  was  used  for  later  testing.  There  is  no  indication  of 
significant  damage  to  the  engine  in  the  available  documentation  so  that  this  failure  is  not  considered 
applicable  to  this  study. 

Test  902-428  -  During  test  902-428  of  engine  2106  a  crack  in  the  OPB  interpropellant  plate  resulted  in 
the  formation  and  build  up  of  ice,  blocking  the  fuel  supply  which  altered  the  OPB  exhaust  flow  distribution 
and  burned  through  the  liner  causing  faceplate  erosion  and  HPOTP  turbine  end  damage.  The  test  was  cut  by 
a  facility  redline.  The  failure  was  caused  by  cracks  in  the  interpropellant  plate-to-element  braze  joints.  The 
cracks  allowed  propellant  mixing  and  caused  ice  contamination  to  form  in  fuel  manifold.  The  failure  was 
determined  to  be  the  result  of  poor  braze  joints  made  during  fabrication.  Flight  engines  are  cleared  by  a 
review  of  the  manufacturing  braze  joint  records. 

rhis  failure  resulted  in  uncontrolled  engine  shutdown  and  uncontajned  damage  to  die  engine.  However, 
the  engi.ic  survived  this  event  and  was  used  for  later  testing.  There  is  no  indication  of  significant  damage  to 
the  engine  in  the  available  documentation  so  that  this  failure  is  not  considered  applicable  to  this  study. 


ANALYSIS 

The  results  of  applying  the  criteria  to  the  SSME  major  incidents  databa.se  results  in  a  total  of  18 
applicable  failures,  of  which  3  am  considered  to  propagate  to  a  cluster  failure. 

The  mean  is  then  computed  by 

X  =  3/18  =  0.167 

Due  to  the  small  sample  size  the  F  distribution  is  assumed  in  order  to  develop  the  confidence  interval 
for  this  case.  For  a  95%  confidence  interval  the  rc,suln  of  applying  the  F  distribution  are 

0.036  <  X_<  '0.4J4 

Thus,  with  a  95%  confidence  interval  the  probability  that  a  failure  will  propagate  to  the  adjacent 
engines  in  the  cluster  is  between  4%  and  41%,  given  that  an  uncontrolled  engine  failure  occurs. 


CONCLUSIONS 

In  the  development  of  future  launch  vehicles  the  potential  benefit  of  engine  out  capabilities  must  be 
weighed  against  the  risks  that  if  an  engine  fails  in  an  uncontrolled  manner  it  will  result  in  the  loss  of  the 
entire  engine  cluster.  This  study  evaluated  the  SSME  which  is  flown  in  a  three  engine  cluster.  No 
uncontrolled  SSML  failures  have  occurred  in  flight.  Only  a  limited  amount  of  ground  testing  has  actually 
been  done  in  a  three  engine  cir.stcr  and  although  failures  have  occurred  none  have  propagated  to  involve  the 
entire  cluster. 

However,  the  test  data  evaluated  here  indicates  there  is  a  reasonable  probability,  approximately  17%, 
that  an  uncontrolled  SSME  failure  will  propagate  to  the  adjacent  engine.s  given  that  an  uncontrolled  failure 
occurs.  The  confidence  interval  <s  between  4%  and  41%  that  a  failure  will  propagate  to  the  cluster  with  a 
95%  cc-iifi'lencc  level. 
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Appendix  A. 2 


A  Quick  Calculation  of 
the  Effect  of 

Failure  Correlation  Factor 
vs. 

Engine  Out  Capability 
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r-..J  C  OJVRELATinN  j  LI'-IBINE  OUT  CAPABILITY 

A  preliminary  trade  o-ff  study  of  single  large  liguid  rocket  engines  vs 
"clustering"  with  reliability  as  the  driver  follows.  Weight  and  cost  as 
well  as  engine  out  capability  is  also  considered  but  not  calculated. 

Let , 

R1  =  rocket  engine  reliability  excluding  plumbing  to  tanks. 

R2  =  reliability  of  plumbing. 

Assume  a  single  engine  plumbing  reliability  of  R2  =  0.999  and  that  increases 
in  numbers  of  rockets  produce  directly  proportional  increases  in  plumbing 
complexity. 

Since  reliability  decreases  with  increasing  complexity  then  if, 
n  :=  1  . . 16  the  total  number  of  rocket  engines 


R2  :=  exp(n  ln(0.999) ) 


Since  smaller  "state  of  the  art"  engines  are  more  mature  thus  possibly 
more  reliable  then  R1  increases  as  n  (the  no.  of  engines)  increases. 
This  is  because  the  more  engines  there  are,  the  smaller  they  are. 


R1  ;  = 

rriii-q 
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:=  R2 
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ni  i!  I 


RT  = 
B 


"No.  of  engines 
0.9302877  min 


minimum  reliability 
with  8  engines  and 
NO  engine  out  cap- 
abi 1 i ty . 


Consider 


engine 


capabi 1 ity : 


if  the  number  of  engines  varies  from  4  to  16, 
m  =  the  total  no.  of  engines 


the  maximum  engine  out  capability 


RS  =  total  reliability  with  engine  out  capability-.- 
C  : =  1.0  cost 


1  n 


■i  o  K  +• 
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R1  R2  :=  expCm  ln(0.999)) 
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Let  REC  =  reliability  with  correlated  failures 


j  :=  1  ..7  =  the  number  of  correlated  failures 

4 

'  j  ! 

REC  :=  |1  -  . .  I  , for  four  engines 

j  i,  1000  ! 

REC 

J 

Q,., 996006  J 
:  O- 892024  ; 

[  0,9880539  I 
0.9840957  ' 

I 0,9801  495  i 
L..0,,9762  1.5  1_J 
|..„0,,.9722?26  i 


Thus  4  engines  are  no  better  than  1  if  the  correlation  factor  i 
between  20  and  30'4  as  shown  below. 

RT  REC  RS 

J  J  4 

RT 

J 

;  0.99071J53  j 
;  0. 9867545  i 
,0.9828055  i 
Q  - 87,88684 
I  0.9749431 
■  0,9710286. 

;  0.96 7 1279 
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Not  only  are?  -four  engine'^  no  better  than  one  under  the  above  conditions, 
three  or  two  engines  are  also  no  better.  In  -fact  the  correlation  -factor 
drives  the  results  and  begins  to  do  so  at  about  15'/.. 

Time  did  not  allow  a  thorough  study  o+  the  ef-fects  o-f  cost  or  weight. 

In  fact  tile  entire  subject  is  complex  enough  to  warrant  a  separate  study. 

One  could  easily  envision  that  an  increase  in  the  number  uf  engines, 
plumbing  and  detection  apparatus  would  increase  weight  thus  reduce  payload 
and  might  guickly  render  a  clustered  system  uneconomical. 

The  purpose  of  this  brief  set  of  calculations  is  not  to  draw  conclusions 
but  that  correlation  factors  of  about  15'/.  are  definitely  a  "red  flag"  that 
warrants  further  study.  It  appears  that  liguid  engine  manufacturers  are 
overly  optimistic  about  correlation  factors. 
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SUMMARY 


This  report  contains  reliability  data  for  the  following  families  of  United  States  launch  vehicles:  Thor/ 
Della,  Titan,  Atlas,  the  Saturn  "Family",  the  Scout  "Family",  and  the  Space  Shuttle. 

The  reliability  data  was  obtained  through  the  statistical  models  and  procedures  described  in  Section 
2.0  as  applied  to  the  “Launch  Vehicle  Failure  History  Data  Base"  compiled  by  C.T.  Clague  of  the  Aerospace 
Corporation  and  other  data  sources  given  in  the  bibliography.  The  results  of  the  analysis  are  summarized 
in  the  following  table. 

The  statistical  model  and  algorithm  contained  in  this  report  is  unique  and  is  the  only  technique  except 
for  D.  Lloyd’s  model  that  has  been  developed  expressly  for  launch  vehicles.  It  provides  conservative 
reliability  estimates  during  the 'early  launch"  period  of  development.  It  also  converges  to  the  same  value 
obtained  by  D.  Lloyd  when  a  sufficiently  large  number  of  launches  and  or  tests  have  been  attained.  Unlike 
D.  Lloyd’s  method,  it  does  not  require  judgement  as  to  whether  or  not  a  failure  has  been  corrected  nor 
does  it  require  that  component  failure  mode  be  known. 


OBJECTIVE  AND  BACKGROUND 

The  objective  of  this  report  is  to  produce  a  statistical  model  and  algorithm  which  can  estimate 
launch  vehicle  reliability  based  solely  on  attribute  data  that  presently  exists.  In  addition,  the  methodology 
is  to  serve  as  a  means  of  estimating  stage  and  system  reliability.  A  secondary  objective  is  to  use  the  model 
as  a  means  of  predicting  the  reliability  of  new  systems. 

Presently  existing  methodologies  do  not  meet  the  objectives  cited  above. 

By  way  of  background,  the  first  attempts  to  measure  launch  system  reliability  were  made  in  order 
to  either  ascertain  what  level  of  reliability  had  been  attained  at  a  given  point  especially  prior  to  customer 
‘buy  off"  or  acceptance. 

In  the  I960's  the  most  widely  accepted  approach  was  to  assume  that  each  test  or  launch  was 
independent  of  all  others.  Using  this  assumption,  one  could  easily  calculate  the  reliability  at  any  given 
level  of  confidence  using  the  Binomial  distribution.  It  became  obvious,  however,  that  reliability  and 
confidence  levels  above  90%  would  require  an  inordinately  large  number  of  tests.  In  the  early  70's 
Bayesian  analysis  was  introduced.  However,  due  to  the  subjective  nature  of  prior  distributions  which  rely 
on  expert  judgement  rather  than  direct  results  from  experiments  and  tests,  the  Bayesian  approach  did 
not  receive  wide  acceptance  in  the  aerospace  industry. 

In  recent  years  D.  Lloyd  of  TRW  began  developing  a  methodology  that  does  require  judgement,  but  the 
judgement  is  based  solely  on  evidence  that  the  propensity  for  certain  failure  modes  to  occur  has  been  reduced 
by  redesign  and  retest. 

Dr.  D.  Lloyd's  method  appears  to  be  the  most  recent  attempt  made  to  estimate  reliability  or 
developmental  environment  which  includes  Reliability  Growth  until  now. 

The  methodology  developed  for  this  study  is  discussed  in  Section  2.0  of  this  report  and  is  an  approach 
which  has  gome  attractive  features  not  found  in  other  methods.  This  methodology  was  applied  to  the 
historical  data  obtained  during  the  course  of  the  study  to  produce  the  tables  of  reliability  data  which  follow. 
A  summary  of  all  the  results  is  given  in  Table  A. 2  and  results  for  individual  launch  vehicle  failures  are 
indicated  in  Tables  A. 2a  through  A.2f. 
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TABLE  A.2:  RELIABILITY  COMPARISON  OF  U.S.  LAUNCH  VEHICLE  FAMILIES 


SYSTEM  I  STAGE  NO. 


TABLE  A2a:  RELIABILITY  OF  THE  THOR/DELTA  FAMILY 


Vehicle  Name 
Data  Collection 
Period 

Success 
Ratio;  Mean 
5% 

15% 

Stags  0 
Stags  1/2 
Stags  1 
Stags  2 
Stags  3 
Stags  4 
Propulsion 
Guidanes 
Flight  Control 
Structure 
Electrical 
Separation 
Ohsr  or  (UK) 
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SYSTEM  I  STAGE  NO. 


TABLE  A2b:  REUABiUTY  OF  THE  UTAN  FAMILY 


Vehicl*  Name 
Data  Collection 
Period 


Success 
Ratio;  Msan 
5% 
95% 


Stags  0 


Stags  1/2 


Stags  1 


SUgs  2 


Stags  3 


Stags  4 


Propulsion 


Guidance 


Flight  Control 


Structure 


Electrical 


Separation 


Other  or  (UK) 
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SYSTEM  I  STAGE  NO. 


TABLE  A2c:  REUABIUTY  OF  THE  ATLAS  FAMILY 


Vehicle  Name 
Data  Collection 
Period 


Success 
Ratio;  Mean 
5K 
95% 


no  failure 

no  failure 

0.9069 

7883 

0.6313 

0.6313 

0.8450 

E 

.4761 

0.9489 

E 

.9953 

Stags  0 


Stags  1/2 


SUgs  1 


Stags  2 


Stags  3 


Stags  4 


0.9814 


0.9810 


0.9420 
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SYSTEM  I  STAGE  NO. 


TABLE  A2d:  RELIABILITY  OF  -mE  SATURN  FAMILY 


Vehicto  Name 

Saturn 

1  "Family- 

Data  Collection 

Period 

Jupiter 

Juno 

Saturn  1 

Saturn  IB 

Saturn  V 

58-58 

58-61 

62-65 

66-75 

67-73 

Elactrical 

Sapsratlon  0.5741 

0(h«r  or  (UK) 


0.8575 
0.7009 
0  7629 
0  9378 


SYSTEM  I  STAGE  NO. 


TABLE  A2e:  REUABILITY  OF  THE  SCOUT  FAMILY 


SUCCMS 

Ratio:  Main 
5% 
95% 


Staga  0 


Staga  1/2 


Staga  1 


Staga  2 


Staga  3 


Staga  4 


Propulalon 


Quidanea 


Right  Control 


Struct ura 


Elactricai 


Saparation 


Othar  or  (UK) 


0.8347 


0S049 


0  8039 


0.9917 


0,9875 


0,9746 


0,9870 


0.7521 

0.9793 

0.9174 

0.9917 

0.8347 

0,9917 

0.9876 


0.9959 


0.9959 
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TABLE  A^:  RELIABIUTY  OF  THE  SPACE  SHUTTLE 


Vehicle  Name 

Data  Collection 

Period 

STS 

Space  Shuttle 

81-88 

Success 

Ratio:  Mean 

5% 

95% 

0.9275 

0  8147 

0  9806 

Stags  0 

Stage  1/2 

d 

z 

Stage  1 

0.9275 

o 

< 

Stage  2 

« 

Stage  3 

Stags  4 

Propulsion 

0.9275 

Guidance 

3 

UJ 

Flight  Control 

►- 

(A 

> 

(A 

Structure 

Electrical 

Separation 

_ 

Other  or  (UK) 
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1 , 0  EXISTING  METHODOLOGIES 


For  the  purposes  of  this  report,  the  following  existing  methodologies  will  be  briefly  discussed. 

•  Binomial 

•  Polynomial  Curve  Fitting 

•  Bayesian 

•  D.  Lloyd's  Method 


1 . 1  The  Binomial  Method 

The  “traditional,"  or  classical,  approach  to  reliability  demonstration  in  a  go/no-go  type  environment 
is  the  Binomial  distribution  shown  below.  In  addition  to  the  obvious  constraints  of  the  assumptions  listed 
below,  it  is  interesting  to  note,  for  example,  that  it  would  require  45  launches  with  og  failures  to 
demonstrate  0.95  reliability  at  90%  confidence.  Since  trials  are  assumed  to  be  independent,  the  growth 
effect  (a  type  of  dependency)  cannot  be  evaluated. 

Stated  mathematically  the  Binomial  Distribution  is  as  follows: 

N  /  M  \  X  N-X 

^  U  X  h  ^  ^  =  1  -  C,  if  N  <  S  S  0 

x=s' 


where; 

S  =  number  of  successful  start  tests 
N  =  number  of  trials 
R  =  reliability 
C  =  confidence  level 

where  it  is  assumed  that 

•  Trials  or  tests  ao  independent 

•  Each  trial  results  in  success  or  failure 

•  The  reliability  (probability  of  success)  of  each  system  is  the  same  on  each  trial 

•  The  number  of  tests  is  fixed  in  advance  of  the  demonstration  test 

1.2  Polynomial  Curve  Fitting 

Polynomial  trends  are  of  the  form 
Y  =  A  +  BX  +  CX"  +  DX"  +  ...  JX" 

The  straight  line  is  a  special  case  having  or  /  the  first  two  terms  on  the  right  hai.d  side  of  the  equation. 
Generally  speaking,  it  is  unwise  to  fit  a  high-degree  polynomial  to  the  data  because  of  the  possibility  of 
mixing  trend  and  cycle.  The  polynomial  can  be  forced  to  fit  data  quite  closely  by  just  adding  enough  terms. 
This,  however,  does  not  contribute  any  information  about  trend.  In  fact,  1  degree  of  freedom  for  error 
is  lost  for  every  parameter  that  is  estimated  from  data.  Thus,  if  there  are  n  observations  and  n  degrees 
of  freedom  are  lost  in  fitting  a  polynomial  of  degree  n-l  item,  there  are  0  degrees  of  freedom  left  for 
error! 
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1.3  Bayesian  Analysis 


For  the  purposes  of  this  report,  Bayesian  analysis  can  be  divided  into  two  categories; 

1.  Reduction  of  the  number  of  tests  or  flights  to  demonstrate  that  a  given  level  of  reliability  has  been 
achieved. 

2.  The  Beta-Binomial  Model 

If  it  is  desired  to  reduce  the  numbers  of  tests  or  flights  required  to  demonstrate  a  given  level  of 
reliability,  then  Bayesian  analysis  can  be  useful.  If  the  following  equation,  taken  from  reference  1,  is 
solved  for  n  at  R=0.95,  r=0,  P=0.50  and  C=90%  confidence  is  desired,  then  it  can  be  concluded  that  only 
14  launches  would  be  required. 


where; 


C  = 


( 1  -  P)  ( 1  -  R) 


;  n-r+1  r 

I  p  q 

»  A 


1  + 


( P)  ( R) 


>  ^  rvr  r+1 

I  p  q  dp 

•  D 


n  =  number  of  launches 
r  =  number  of  failures 
R  =  reliability 
C  =  confidence  level 
P  =  Bayesian  Prior 


The  Beta-Binomial  Bayesian  model  is  used  for  Bayesian  estimation  when  information  is  available  about 
components  of  similar  design  and  application.  In  this  model,  several  similar  components  are  treated  as  a 
single  class.  The  probability  p  of  each  component  in  the  class  is  assumed  to  be  constant,  but  will  have 
different  values  from  component  to  component.  If  the  Binomial  distribution  is  used  to  obtain  the  probability 
of  K  failures  in  n  trials,  then  the  conjugate  distribution  g(p)  for  the  class  is  the  Beta  distribution.  This 
model  weights  the  reliability  growth  effect  and  can  be  applied  to  forecast  the  reliabilities  of  launch 
vehicles.  The  detailed  theoretica'  analysis  can  be  found  in  reference  2.  The  disadvantage  of  this  model  is 
that  it  is  very  difficult  to  separate  the  total  sample  data  into  several  similar  components  unless  there 
is  detailed  engineering  analysis  concerning  each  failure  mode  during  the  different  periods  of  launch  vehicle 
development  history. 


Bayesian  approaches  are  highly  sensitive  to  the  prior  distributions  used.  If  no  meaningful  estimate 
of  the  prior  probability  of  success  can  be  made,  none  of  the  above  conclusions  apply.  Particularly,  one 
must  be  wary  of  consistent  optimism  or  pessimism  when  records  of  success  do  not  support  the  prior 
probabilities. 

1.4  D.  Lloyd’s  Method 

In  Lloyd’s  model,  the  rationale  is  that  when  engineering  corrective  action  for  a  failure  is  implemented, 
the  probability  of  recurrence  of  that  failure  is  reduced;  therefore,  such  failures  should  not  be  carried  as 


full  failures  in  subsequent  reliability  estimates.  The  failure  value  for  each  failure  model  is  assumed  to  be 
f  -  1-(1-  Y) 

where  y  'S  the  confidence  level  and  n  is  the  number  of  successful  tests  after  corrective  action. 

Based  on  a  detailed  engineering  analysis  for  each  failure  mode,  the  result  of  each  failure  for  each 
failure  mode  can  be  obtained  by  solving  the  above  equation.  The  final  result  of  the  reliability  estimation 
is  R  =  1  -  If/N  where  If  is  the  cumulative  failure  number  of  all  failure  modes  and  N  =  the  test  number. 

This  model  weights  the  growth  effect  and  can  be  extended  to  forecast  the  reliability,  the  failure  mode 
and  the  launch  number  at  which  the  failure  mode  occured  as  well  as  the  launch  number  at  which  it  was 
corrected.  The  confidence  level  y  is  directly  related  to  the  final  results  and  requires  subjective 
judgement  as  to  what  value  is  to  be  used. 


2.0  A  NEW  STATISTICAL  MODEL 

The  developmental  history  of  any  launch  vehicle  can  be  considered  as  two  time  periods  -  the  early 
testing  period  and  the  performance  period.  Generally,  during  the  early  testing  period  the  unreliability  of 
a  launch  vehicle  is  high  and  unstable.  After  a  “failure,  analysis,  and  fix”  process,  in  conjunction  with 
technical  and  design  improvements,  the  unreliability  of  a  launch  vehicle  decreases  and  stabilizes  in 
the  performance  period. 

A  statistical  model  which  weights  the  reliabilities  of  these  two  periods  has  been  developed.  The  detailed 
descriptions  of  the  materials  for  reliability  analysis  of  vehicles,  stages,  systems,  and  engines  (or  motors) 
are  introduced  in  the  following  sections. 


2.1  Estimation  of  Launch  Vechicle  Reliability 

The  easiest  way  to  estimate  the  average  unreliability  of  a  launch  vehicle  is: 

U,  =  F/L  { 1 ) 

where  is  the  estimated  average  unreliability,  and  F  and  L  are  the  cumulative  failure  and  launch  numbers. 

As  was  mentioned  before,  the  reliability  growth  effect  must  be  considered  to  get  a  more  realistic 
estimation  of  the  unreliability.  In  the  present  model,  the  average  unreliability  is  defined  as 

U  =  U, -AU  (2) 

where  AU  is  the  change  in  reliability  caused  by  reliability  growth  and  can  be  explained  as 

AU  =  AF/L 
or 

AF  =  AU*L  (3) 

where  AF  is  the  cumulative  failure  correction  number. 
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Averaging  both  sides  of  equation  (3)  results  in 


or 


AF=  AU*  - 
2 


AU=  -•  AF 
L 


(4) 


Substitute  equation  (1)  and  equation  (4)  into  equation  (2) 

U=  1.  AF 
L  L 

The  estimation  of  the  unreliability  of  the  launch  vehicle  at  the  n'”  launch  can  then  be  approximated  as 


(5) 


i  Fi-  p.  L 

,,  Fn  2  '-n 

Un=  — -  - •  - 

Ln  Ln  N 


(6) 


where  L,  is  the  i'*’  launch  number,  and  F,  is  the  cumulative  failure  number  at  the  i"'  launch. 
The  reliability  R„  at  the  n''’  launch  is 


Rn  =  1  -  Un=  1  - 


2_ 

Ln  Ln 


N  p 

I  F,-  p*  Li 

i.1  Ln 


N 


(7) 


The  concepts  of  confidence  levels  based  on  the  value  of  average  reliability  from  equation  (7)  are  now 
illustrated  as  the  following. 

Let  N  be  the  launch  number,  then  X  =  N  •  R„is  the  success  number 
5th  confidence  - 

Roos* - - -  (®) 

X  +  (  n-  x+  1 )  Fo95(  2n-  2x+2,  2x) 

95fh  confidence  - 

Rox-  (x-t-1)  Fo95(2x.)-2,2n- 2x)  (9) 

{  n-  X)  +  (  x+  1 )  Fo95(  2x+2,  2n-  2x) 

whereF,(n,  n^)  is  the  100  r’*' percentile  of  F-distribution  with  n,  numerator  and  n^  denominator  degrees 
of  freedom. 

This  completes  the  formulation  of  the  launch  vehicle  reliability  calculations.  The  example  which 
applies  this  model  is  given  in  section  5. 
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2.2  Estimation  of  Stage  Reliability 


The  basic  method  of  estimating  the  stage  reliability  of  a  launch  vehicle  in  the  present  study  is  based  on 
the  following  assumptions: 

1 .  The  failure  of  fhe  launch  vehicle  must  occur  in  one  of  its  stages. 

2.  The  starting  operation  time  for  each  stage  is  followed  by  the  order  of  stage  number.  In  other  words, 
the  first  stage  should  begin  operating  before  the  second  stage. 

The  following  formulation  has  been  developed  to  perform  the  reliability  estimation  for  the  i"' stage 


M  (10) 

Fv-  (  I  Fs,)  •  Uv 
1-1. 1^-1 


where  R,,  is  the  reliability  of  the  i'”  stage,  F,,  is  the  cumulative  failure  number  of  the  i'"  stage,  Fjs  the 
cumulative  failure  number  of  fhe  launch  vehicle,  U^is  fheunreliabilify  of  fhe  launch  vehiclef  rom  equafion 


(6). 


For  example,  the  reliability  for 
First  stage;  R3i=1  - 


Second  stage:  Rs2  =  1  -  - - — — 

Fv  -  Fsi  •  Uv 

Third  Stage:  Rs3  =  1  -  - - 

Fv  -  (  F51  +  Fj^  •  Uv 

Since  the  value  of  Ujn  equation  (10)  has  been  weighted,  the  estimation  of  reliability  for  each  stage 
R.  is  also  a  weighted  average. 


2.3  Estimation  of  System  Reliability 

The  basic  assumption  for  the  method  of  estimating  system  relaibility  in  the  present  study  is  that  the 
failure  of  the  launch  vehicle  must  occur  in  one  of  its  systems. 

The  average  reliability  of  each  system  of  the  launch  vehicle  can  be  formulated  as 

R.,.i=  1  -U,-F.^./F,  (11) 

where  R^^,,  is  the  reliability  of  fhe  i"'  system,  F,^,,  is  the  cumulative  failure  number  of  the  i’''  system,  U„ 
is  the  unreliability  of  the  launch  vehicle,  F^is  the  cumulative  failure  number  of  the  launch  vehicle. 
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2.4  Estimation  of  Engine  (or  Motor)  Reliability 


The  basic  assumption  of  the  method  for  estimating  engine  (or  motor)  reliability  is  if  any  of  the 
engines  (or  motors)  in  a  stage  fails,  then  the  entire  stage  has  failed.  Since  the  failure  of  a  stage  can  be 
caused  by  either  engine  (or  motor)  failure  or  other  failures,  the  cumulative  failure  number  of  engine 
(or  motor)  in  this  stage  needs  to  be  known.  The  model  for  estimating  engine  (or  motor)  reliability  is 
described  as 

Rei  =  (  1  -  Usi-  Fe/  Fs:) 


where 

R,i  is  the  reliability  of  the  engine  (or  motor)  in  the  i'^’  stage. 

U,,  is  the  unreliability  of  the  i''’  stage  which  can  be  obtained  by  1-R,,  from  equation  (10). 
F,|  is  the  engine  (or  motor)  cumulative  failure  number  in  the  i"'  stage. 

Fj.  is  the  cumulative  failure  number  of  the  i'"  stage. 

Ng.  is  the  number  of  engines  (or  motors)  in  the  i"*  stage. 
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3.0  DATA  COLLECTION 


Based  on  tiie  analysis  of  section  2,  the  following  table  for  data  collection  of  each  launch  vehicle  was 
developed. 


Vehicle  Name _ 

Data  Collection  from _ Yr  to _ Yr 

Total  Launch  Number _ 

Total  Failure  Number  _  _ 


Date 

Failure 

Launch 

Success 

Run 

Failure 

Stage 

Failure 

System 

Failure 

Descrptn 

Engine  or 

Failure  Y/N 

Table  A.3 


In  this  table, 

Date:  the  date  when  the  launch  vehicle  failed 

Failure  Launch:  the  launch  number  at  which  the  launch  failed 
Success  Run:  the  number  of  successful  launches  between  two  failures 

Failure  Stage:  failure  stage  number 

Failure  System:  one  of  the  following  systems  failed:  propulsion,  separation,  flight  control, 
structure,  electrical,  guidance,  etc... 

Failure  Description:  failure  mode 

Engine  or  Motor  Failure  Y/N:  Y  =  engine  or  motor  failure; 

N  =  no  engine  or  motor  failure. 


This  table  template  was  then  applied  to  the  history  of  all  US  Launch  Vehicle  Families  according  to  given 
cut-off  dates.  The  cut-off  dates  and  the  resulting  historical  tabulations  are  given  in  the  supplement  to  this 
appendix. 


4.0  ALGORITHM 

The  general  solution  procedures  of  launch  vehicle  reliability  analysis  can  be  described  by  the  following 
steps. 

1 .  Use  Table  A.3  to  collect  the  data  for  each  launch  vehicle. 

2.  From  the  date  of  “Failure  Launch"  listed  in  Table  A.3,  the  launch  vehicle  reliability  can  be 
estimated  by  applying  equation  (7)  in  section  2.1.  The  corresponding  95th  and  5th  confidence  levels  can 
be  obtained  by  solving  equations  (8)  and  (9)  in  section  2.1. 

3.  From  the  data  of  “Failure  Stage”  listed  in  Table  A.3  and  the  launch  reliability  obtained  in  step 
2,  the  reliability  of  each  stage  of  the  launch  vehicle  can  be  calculated  by  using  equation  (10)  in  section 
2.2. 
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4.  The  date  of  “Failure  System”  together  with  the  results  of  step  2  provide  the  information  to  obtain 
the  reliability  of  each  system  in  the  launch  vehicle  by  applying  equation  (11)  in  section  2.3. 

5.  From  the  data  of  “Engine  (or  Motor)  Failure  Y/N"  listed  in  Table  A. 3  and  the  result  of  sfep  3.  the 
reliabilities  of  each  engine  (or  motor)  can  be  obtained  by  solving  equation  (12). 

5.0  EXAMPLE 

Consider  the  “Atlas/Centaur"  as  an  example.  The  general  information  about  the  “Atlas/Centaur*  is 
illustrated  in  the  following  figure  which  is  taken  from  the  report  “Hazard  Analysis  of  Commercial  Space 
Transportation",  Volume  I,  May  1988,  published  by  the  U.S.  Department  of  Transportation. 

Following  the  solution  procedures  described  in  section  4; 

1 .  Table  A. 4  lists  all  the  failure  data  on  the  “Atlas/Centaur”,  The  data  collection  period  is  from  1962 
to  1 987.  The  launch  number  of  the  "Atlas/Centaur”  during  this  period  is  67,  and  the  corresponding  failure 
number  is  1 1 .  In  this  example,  the  failure  data  was  collected  from  the  “Launch  Vehicle  Failure  History  Data 
Base,"  which  was  compiled  by  Cindy  Thatcher  Clague  of  the  Aerospace  Corporation  (reference  4). 

The  March  26, 1987  failure,  shown  in  Table  A. 4,  which  was  caused  by  a  lightning  strike  is  considered 
as  an  externally  caused  failure.  This  failure  is  eliminated  in  the  present  reliability  analysis  otherwise  all 
failures  are  included. 

2.  Based  on  the  data  in  Table  A. 4,  we  used  equation  (7)  in  Section  2.1  to  estimate  the  launch  vehicle 
reliability.  The  estimation  of  the  reliability  for  n=!67  is 

R„  =  0.9069 

The  corresponding  95th  and  5th  confidence  levels,  obtained  by  solving  equations  (8)  and  (9),  are 

=  0.8450 

R<,,„=  0.9489 

3.  From  the  “Stage  Failure"  data  in  Table  A. 4 

The  first  stage  is  stage  1/2  and  nas  the  failure  number  F,,2  =  2. 

The  second  stage  is  stage  1  and  has  the  failure  number  F,  =  2. 

The  third  stage  is  stage  2  and  has  the  failure  number  F^  =  6. 

The  reliability  of  each  stage  can  be  obtained  by  solving  equation  (10).  In  this  example,  the  unreliability 
of  the  vehicle  is  U,  =  1-R,  =  0.0931,  and  the  cumulative  failure  number  of  the  vehicle  is  F,  =  10. 
Substituting  these  values  into  equation  (10),  we  get 

R„  =  0.9814  for  stage  1/2. 

R,2  =  0.9810  for  stage  1 . 

R,3  =  0.9420  for  stage  2. 

4.  From  the  “System  Failure"  data  in  Table  A. 4 

The  failure  number  of  the  propulsion  is  5. 

The  failure  number  of  the  structure  is  2. 

The  failure  number  of  the  separation  Is  1. 

The  failure  number  of  the  flight  control  is  1 . 

The  failure  number  of  the  electrical  is  1. 
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General  Dynamics 


Geaerfll  Stage  Data 

Atlas  Centaur  Launch  Vehicle 


Stage  1/2 

Stage  1 

1 

Stage  2 

Designation 

' - 

—I - ^ 

Atlas  G 

Centaur  D-lA 

Stage  Mast,  Ubm 

320.876 

38.777 

Uaable  Propdiani,  kibm 

300.632 

29.734 

Stage  Length,  ft 

76.7 

29S 

Stage  Diameter,  ft 

10 

10 

Number  o^'Engmea 

2 

1 

2 

Giii^iv»  Data 

ManuCactnrer 

Type 

Engine  Daa 

Manufacttner 

Socketdyne 

Rocketdyne 

Honeywell 

Four  Gimbal 
Inertia] 

Pratt  and  Whitn^ 

Designation 

YLIW9-NA-1 

YU1.105-NA-7 

RLrlOA-3>3A 

Number  of  Starts  PoMible 

1 

1 

2 

Fud 

KP-1 

RP-l 

LN, 

Ondiaer 

LOX 

LOX 

LOX 

ACixtore  Ratio, 

2.25 

2.22 

5.0 

Average  Thrust  per  Engine,  Ibf 
Sea  Level 

180,750 

60,600 

Vacuum 

— 

— 

16,500 

Average  Chamber  treasure,  paia 

660 

733 

474 

Specific  Impulae,  sec 

Sea  Level 

250 

220 

Vacuum 

292 

312 

446.4 

Total  Time,  sec 

163 

263 

404 

Noule  Ebcpansion  Ratio 

8 

25 

61 

Notzle  Exit  Area.  fP 

11.24 

11.66 

8.22 

Engine  Cant  Angle,  deg 

0 

0 

0 

Ihrust  Vector  Control 

Gimballed  Elnginea  and  Verniers 

Gimballed  Engine 

Figure  A.1.  Atlas/Centaur  launch  vehicle  configiiration  and  data. 
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TABLE  A.4:  FAILURE  HISTORY  DATA  OF  ATLAS/CENTAUR 

Vehicle  Name: 

Atlas/Centaur 

Data  Collection  from: 

62  to  87 

Total  Laimch  Number 

67,x  ■ 

Total  Failure  Number 

11 

Failure 

System 

Failure 

Description 

Structure 

Centaur  upper  stage  structure  failure 

Propulsion 

Centaur  hydraulic  failure,  Loss  of  C, 
hydraulic  power 

Propulsion 

Loss  of  Atlas  thrust  during  liftoff,  due  to  fuel 
starvation  of  booster  engines  stemming  from 
closure  of  fuel  prevelue 

Propulsion 

Centaur  restart  sequence  failure,  engine 
ignition  occurred  but  not  sustained  due  to  fuel 
depletion 

Propulsion 

Failure  of  boost  pump  H^O,  supply  system 
centaur  didnl  achieve  its  second  main  engine 
start 

Separation 

Nose  fairing  failed  to  jettison  property 

Flight  Control 

Centaur  pitch  control  lost 

Electrical 

Atlas  booster  section  electrical  disconnect 
failed  during  booster  jettison 

Propulsion 

Atlas  booster  engine  hot  gas  leak  failed  missior 

Propulsion 

Failure  occurred  at  A/C  Separation  a  liquid 
oxygen  tank  crack 

other 

Lightning  strike  failed  mission 

Engine/Motor 
Failure  Y/N 


By  solving  equation  (11),  the  reliability  of  each  system  can  be  obtained 


’’propulsion  “ 

R.uucu,.  =  0.9814 
^•eparalion  “  0.9907 
^  night  control  ~  0.9907 
^olecttlcal  “  0.9907 

5.  There  are  two  engines  (YLR-89-NA-7)  in  stage  1/2,  one  engine  (YLR-1 05-NA-7)  in  stage  1 ,  and 
two  engines  (RL-10A-3-3A)  in  stage  2.  From  Table  A. 4,  the  failure  number  of  engine  YLR-89-NA-7  is 
2.  The  failure  number  of  engine  YLR-105-NA-7  is  1,  and  the  failure  number  of  engine  RL-10A-3-3A  is 
0.  By  solving  equation  (12)  together  with  results  of  stage  reliabilities,  the  reliabilities  of  each  engine  can 
be  obtained. 


^LR.89-NA.7  ~  0.9907 

^YLR-105-NA-7  ~  0.9905 
RRL.t0A.3.3A  =  No  Failure 


The  results  of  the  reliability  analysis  for  t^^e  "Atlas/Centaur"  are  summarized  as 


ATLAS/CENTAUR 

B£UAmi 

Vehicle 

Mean 

0.9069 

5% 

0.8450 

95% 

0.9489 

Stages 

Stage  1/2 

0.9814 

Stage  1 

0.9810 

Stage  2 

0.9420 

SLYStem 

Propulsion 

0.9535 

Structure 

0.9814 

Separation 

0.9907 

Flight  Control 

0.9907 

Electrical 

0.9907 

Engines 

YLR-89-NA-7 

0.9907 

YLR-105-NA-7 

0.9905 

RL-10A-3-3A 

No  Failure 

The  reliability  estimation  of  'Atlas/Centaur"  based  on  equation  (7)  at  each  launch  is  described  in 
the  following  figure,  A. 2. 


. . I  ■  »  '  '  I . I  ,  , ,  r  I  t 

1  0  1  5  20  25  30  35 


'  I  ■  ■  '  ■  I  ■  <  I  I  I  I  I  I  I  I 

40  45  50  55 


Launch  Number 


•T' 

60 


TT-r-r  t-r  , 

65  70 


Figure  A.2.  Reliability  estimation  of  Atlas/Centaur. 
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6.0  RESULTS 


The  statistical  model  (section  2)  and  the  data  collection  method  (section  3)  following  the  solution 
procedures  (section  4)  have  been  applied  to  twenty-tour  U.S.  launch  vehicles.  The  results  are  listed  in 
Table  A.5. 

In  Table  A.5,  launch  vehicles  are  separated  into  six  groups  based  on  their  developmental  histories.  The 
results  ot  the  •Combine’  in  Table  A.5  are  the  reliability  estimates  tor  each  group.  The  following 
formulations,  based  on  Bayesian  reliability  analysis,  have  been  applied  to  perform  the  calculation  for  each 
group. 

.=  llRi 

where  N  is  the  vehicle  number  in  the  group,  R,  Is  the  reliability  of  the  i"' vehicle,  u  is  the  mean  reliability 
of  the  group. 


where  is  the  variance. 


a=  iL(  1  -  ji)  . 

a 


b  «  -i^(  1-  p)  +  p-1 
a 


Then  the  mean  ot  the  group  is 
p  =  a/(a+b) 


The  5%  confidence  level  is 


a  +  b  •  Fo9s(  2b, 2a) 


The  95%  confidence  level  is 

Q  a*  Fo9s(  2a,  2b) 

H095=  - 

b  +  a  •  Fo9s(  2a,2b) 

The  reliability  estimations  tor  each  engine  ot  the  launch  vehicles  are  not  listed  in  Table  A.5.  They  are 
partially  listed  in  the  matrices  which  are  tor  engine  reliability  analysis. 
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TABLE  A.5:  RELIABILITY  COMPARISON  OF  U.S.  LAUNCH  VEHICLE  FAMILIES 
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A  new  model  has  been  developed  which  has  the  following  advantages: 

1.  This  model  weights  the  reliability  growth  effect.  Since  the  reliability  of  a  launch  vehicle  can  be 
estimated  from  each  past  launch,  the  extension  of  this  model  should  be  able  to  predict  the  future  reliability 
of  the  launch  vehicle. 

2.  The  formulations  of  the  model  are  simple  and  easy  to  apply.  A  computer  program  is  being  developed 
for  future  applications. 

3.  The  results  of  the  calculations  are  only  dependent  on  the  data  collection, 

4.  The  reliability  estimations  of  vehicles,  stages,  systems,  and  engines  are  separated,  which  reduces 
the  restrictions  to  the  data  collection. 
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Cut-off  dates  for  launch  vehicle  reliability  data 


Launch  vehicle 

Cut-off  date 

Failure  No. 

Launch  No. 

Thor/Delta 

Thor 

01/25/57  - 

08/05/83 

66 

369 

Delta 

05/1  3/60  - 

03/20/87 

12 

181 

Titan 

Titan  1 

02/06/59  - 

03/05/65 

24 

68 

Titan  II 

03/1  6/62  - 

06/27/76 

1  6 

94 

Titan  III 

09/01/64  - 

02/1  1/87 

1  1 

137 

Titan  34D 

1  0/30/82  - 

1  1/28/87 

2 

1  1 

Atlas 

Atlas  A 

06/1  1/57  - 

06/03/58 

5 

8 

Atlas  B 

07/1  9/58  - 

02/04/59 

4 

9 

Atlas  C 

1  2/23/58  - 

08/24/59 

3 

6 

Atlas  D 

04/14/59  - 

1  1/07/67 

42 

197 

Atlas  E 

10/11/60  - 

02/03/88 

18 

49 

Atlas  F 

08/08/61  - 

06/23/81 

1  7 

96 

Atlas  SLV 

02/02/67  - 

05/19/83 

4 

73 

Atlas  G 

06/09/84  - 

03/26/87 

0 

5 

Atlas  H 

02/09/83  - 

05/15/87 

0 

5 

Atlas/Centaur 

05/08/62  - 

03/26/87 

10 

67 

Jupiter 

07/26/58  - 

10/23/58 

3 

6 

Juno 

1  2/06/58  - 

05/24/61 

5 

10 

Saturn  1 

1  0/27/62  - 

07/30/65 

0 

10 

Saturn  IB 

02/26/66  - 

07/15/75 

0 

9 

Saturn  V 

1  1  /09/67  - 

05/14/73 

1 

13 

Vanguard 

1  2/06/57  - 

09/18/59 

8 

1  1 

Scout 

07/01  /60  - 

03/25/88 

14 

110 

STS 

Space  Shuttle 

04/12/81  - 

09/29/88 

1 

26 
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Vehicle  Name:  Thor 

Data  Collection  from;  57  to  83 

Total  Launch  Number  369 

Total  Failure  Number  66 


Date 

Failure 

Launch 

■ 

Failure 

Stage 

Failure 

System 

Failure 

Description 

Engine/Motor 
Failure  Y/N 

01/25/57 

1 

0 

1 

Propulsion 

Missile  fell  back  on  launcher,  oxygen  start  tank 
fill  and  check  valve  malfunction 

Y 

04/19/57 

2 

0 

1 

Human 

Erroneously  destroyed  by  RSU 

N 

05/21/57 

3 

0 

2 

Structure 

Fuel  tank  ruptured 

N 

08/30/57 

4 

0 

1 

Propulsion 

Propellant  valve  pneumatic  line  failure 

Y 

10/03/57 

6 

1 

1 

Electrical 

Microswitch  failure  in  MFV  delayed  signal  to 
gas  generator  valve  opening 

N 

10/11/57 

7 

0 

1 

Propulsion 

Possible  turbopump  failure 

Y 

12A)7/57 

9 

1 

1 

Electrical 

Electrical  systems  malfunction,  no  main  engine 
cutoff 

N 

01/28/58 

11 

1 

1 

Guidance 

Excessive  trajectory  dispersion  after  95  sec. 
terminated  by  RSO 

N 

02/28/58 

12 

0 

1 

Propulsion 

Premature  shutdown,  failure  of  gas  generator 
LRRP  or  liquid  ox  line 

Y 

04/19/58 

13 

0 

1 

Propulsion 

Fell  back  on  launcher  due  to  fuel  system 
malfunction 

Y 

04/23/58 

14 

0 

1 

Propulsion 

Turbopump  failure 

Y 

07/13/58 

18 

3 

1 

Electrical 

Main  engine  cutoff  failed  to  get  through 
circuit  problem 

N 

07/26/58 

20 

1 

1 

Structure 

Pneumatic  line  failure  caused  MLV  closure 
missile  broke  up  due  to  aerodynamic  forces 

N 

08/17/58 

22 

1 

1 

Propulsion 

First  stage  malfunction.  Turbopump  failure 

Y 

11/05/58 

24 

1 

1 

Guidance 

Ailopilot  malfunction 

N 

Vehicle  Name:  Thor 

Data  Collection  from:  57  to  83 

Total  Launch  Numben  369 

Total  Failure  Number:  66 


Date 

Failure 

Launch 

Failure 

Stage 

Failure 

System 

Failure 

Description 

Engine/Motor 
Failure  Y/N 

11/08/58 

25 

0 

3 

Propulsion 

3rd  stage  failed  to  ignite 

Y 

12/05/58 

27 

1 

1 

Propulsion 

Liquid  oxygen  tank  pressurization  malfunction 

N 

12/30/58 

30 

2 

1 

Guidance 

Guidance  malfunction  at  liftoff 

N 

01/21/59 

31 

0 

1 

Propulsion 

Exploded  on  pad.  A  malfunction  during 
countdown 

N 

01/23/59 

32 

■ 

2 

Electrical 

Electrical  malfunction  prevented  cutoff  and  2nd 
stage  Ignitbn 

N 

01/30/59 

33 

0 

1 

Propulsion 

Liquid  oxygen  tank  pressurization  problem 

N 

06/03/59 

47 

14 

3 

Propulsion 

Premature  engine  burnout  due  to  fuel 
exhaustion,  Insufficient  velocity  was  gained  for 
orbital  attainment 

Y 

06/16/59 

49 

1 

1 

Guidance 

Autopilot  did  not  program  possibly  liftoff  switch 
didnot  extract 

N 

06/25/59 

51 

1 

2 

Electrical 

A  diode  failure  in  the  D-timer  brake  circuit 
caused  the  Agena  engine  to  burn  to  fuel 
exhaustion 

N 

06/29/59 

52 

0 

1 

Electrical 

Electrical  malfunction  FW  did  not  separate 
retro-rockets  did  not  fine 

N 

07/21/59 

53 

■ 

1 

Flight  Control 

Flight  controller  did  not  program;  Launcher  arm 
did  not  extract  liftoff  pin 

N 

08/14/59 

60 

6 

1 

Propulsion 

Fuel  depletion,  fuel  underload,  leak  or  engine 
miscalibratlon 

Y 

09/17/59 

65 

4 

2 

Separation 

2nd  stage  retro  device  failed,  3rd  stage  did  not 
ignite 

N 

12/01/59 

77 

11 

1 

Propulsion 

Main  engine  cutoff  occurred  6  sec.  early. 
Possibly  main  liquid  oxygen  valve  closed 
orematurelv 

Y 

12/14/59 

79 

1 

1 

Flight  Control 

Control  failure.  Missile  stability  lost 

N 
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Vehicle  Name:  Thor 

Data  Collection  from:  57  to  83 

Total  Launch  Number.  369 

Total  Failure  Number  66 


Date 

Failure 

Launch 

1 

Failure 

Stage 

Failure 

System 

Failure 

Description 

Engine/Motor 
Failure  Y/N 

02/04/60 

83 

3 

1 

Electrical 

Failure  of  the  fuel  injector  pressure  switches  or 
a  short  around  them 

N 

02/19/60 

86 

2 

1 

Guidance 

Autopilot  component  failure 

N 

06/29/60 

94 

7 

2 

Guidance 

2nd  stage  attitude  instability 

N 

08/18/60 

97 

2 

1 

Propulsion 

Failure  of  the  first  stage  hydraulic  system 

Y 

10/26/60 

101 

3 

2 

Separation 

2nd  stage  failed  to  separate 

N 

11/30/60 

103 

1 

1 

Electrical 

Main  engine  shutdown  from  a  premature 

MECO  signal 

N 

03/30/61 

111 

7 

3 

Propulsion 

A  hydraulic  system  failure  resulted  in  lose  of 
attitute  control 

Y 

06/08/61 

113 

1 

3 

Propulsion 

Fuel  line  leak,  Engine  failed  to  provide  thrust 

Y 

07/21/61 

118 

4 

1 

Flight  Control 

Control  system  instability 

N 

08/03/61 

119 

0 

2 

Flight  Control 

A  failure  occurred  in  the  hydraulic  system  which 
provides  the  power  for  engine  gimballing 

N 

10/23/61 

125 

5 

1 

Propulsion 

Hydraulic  failure  and  a  failure  in  the  engine 
actuating  system 

Y 

11/05/61 

126 

0 

3 

Guidance 

Apogee  was  higher  than  predicted  as  a  result 
of  excess  velocity 

N 

01/13/62 

131 

4 

2 

Electrical 

Blew  a  fuse  in  the  line  to  the  gyro  guidance 
packages 

N 

01/24/62 

133 

1 

2 

Propulsion 

2nd  stage  misfired,  An  acutator  lug  on  the  2nd 
stage  thrust  chamber  was  broken 

Y 

02/21/62 

134 

0 

1 

Propulsion 

The  fuel  vent  valve  stuck  open  during  first  burn 

Y 

IS"; 
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Vehicle  Name:  Thor 

Data  Collection  from:  57  to  83 

Total  Launch  Number:  369 

Total  Failure  Number:  66 


Date 

Failure 

Launch 

B 

Failure 

Stage 

Failure 

System 

Failure 

Description 

Engine/Motor 
Failure  Y/N 

03/19/62 

136 

1 

1 

Guidance 

Pitch  HIG  gyro  malfunction 

N 

05/10/62 

140 

■ 

1 

Electrical 

Failure  of  the  1  st  and  2nd  stages  to  separate 
which  was  caused  by  1  st  stage  electrical 
malfunction 

N 

06/20/62 

147 

i 

1 

Propulsion 

High  temps  weakened  the  load-carrying 
capabilit  of  the  Thor  engine  section 

N 

07/25/62 

153 

5 

1 

Propulsion 

The  main  oxidizer  valve  only  partially  opened 

N 

10/15/62 

162 

8 

1 

Propulsion 

The  actuator  potentionmeter  voltage  show  a 
continuing  loss  of  power 

Y 

02/28/63 

174 

11 

0 

Propulsion 

Solid  motor  failure 

Y 

03/18/63 

175 

■ 

2 

Electrical 

Electrical  short  circuit  in  the  safe-arm  junctbn 
box 

N 

04/26/63 

177 

1 

3 

Guidance 

Failure  in  horizon  sensors 

N 

06/12/63 

179 

1 

1 

Propulsion 

During  1  st  engine  operation  a  power  short 
condition  developed,  igniters  were  set  off  by 
radiated  heat  from  the  nozzle 

Y 

11/09/63 

191 

11 

1 

Propulsion 

overheating  of  the  boattail  section 

Y 

11/10/63 

192 

0 

1 

Flight  Control 

Unstable  and  premature  terminatbn  of 
powered  flight 

N 

03/24/64 

203 

10 

2 

Electrical 

Electrical  short  circuit,  bss  of  guidance  and 
control 

N 

04/21/64 

204 

■ 

UK 

Flight  Control 

Failure  of  flight  control 

N 

04/27/64 

206 

1 

UK 

UK 

UK 

UK 

05/28/64 

207 

0 

UK 

UK 

UK 

UK 
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Vehicle  Name:  Thor 

Data  Collection  from:  57  to  83 

Total  Launch  Number  369 

Total  Failure  Number.  66 


Date 

Failure 

Launch 

Failure 

Stage 

Failure 

System 

Failure 

Description 

09/02/65 

250 

42 

UK 

Guidance 

Guidance  failure,  destroyed  by  RSO 

01/06/66 

260 

9 

2 

UK 

Failed  to  orbit 

05/03/66 

269 

8 

2 

Propulsion 

Fire  in  thrust  section  due  to  leakages 

05/18/68 

301 

31 

1 

Guidance 

Gyro  failure.  Booster  guidance  malfunctbn 

02/17/71 

335 

33 

1 

Propulsion 

Exploded  after  40  sec. 

02/18/76 

354 

18 

UK 

UK 

UK 

Vehicle  Name:  Delta 

Data  Collection  from:  60  to  87 

Total  Launch  Number  181 

Total  Failure  Number:  12 


Date 

Failure 

Launch 

Failure 

Stage 

Failure 

System 

Failure 

Description 

05/13/60 

1 

0 

2 

Flight  Control 

2nd  stage  attitude  control  malfunction, 

No  3rd  stage  ignition 

03/19/64 

24 

22 

3 

Propulsion 

Loss  of  3rd  stage  halfway  thru  burn 

08/25/65 

33 

8 

3 

Propulsion 

3rd  stage  ignition  before  separation, 

Did  not  achieve  orbit 

09/18/68 

59 

25 

1 

Guidance 

1st  stage  control  system  (rate  gyro) 

07/25/69 

71 

11 

3 

Propulsion 

3rd  stage  (AKM)  thrust  dropped  during  burn 
possibly  nozzle  blown  off 

08/27/69 

73 

1 

1 

Propulsion 

1st  stage  hydraulic  system  failure 

10/21/71 

86 

12 

2 

Flight  Control 

2nd  stage  control  gas  oxidizer  vent  valve 
failure,  leak 

07/16/73 

96 

9 

2 

Propulsion 

2nd  stage  hydraulic  system  pump  motor  failure 

01/19/74 

100 

3 

2 

Flight  Control 

2nd  stage  electronics  failure 

04/20/77 

130 

29 

2 

Separation 

Clamp  band  released  early 

09/13/77 

134 

3 

0 

Propulsion 

SRM  (Castor  IV)  burn-through 

05/03/86 

178 

43 

1 

Electrical 

1st  stage  electrical  short  in  relay  box 
(main  engine  shutdown) 

Engine/Motor 
Failure  Y/N 

N 


N 


N 
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Vehicle  Name:  Titan  I 

Data  Collection  from:  59  to  65 

Total  Launch  Number:  68 

Total  Failure  Number  24 


Date 

Failure 

Launch 

■ 

Failure 

Stage 

Failure 

System 

Failure 

Description 

Engine/Motor 
Failure  Y/N 

08/14/59 

5 

4 

1 

Structure 

Vibration  fired  holddown  bolts:  1 B1 E  pulled 
causing  shutdown 

N 

12/12/59 

6 

0 

1 

Propulsion 

Failure  on  pad:  destruct  system 

UK 

02/05/60 

8 

1 

1 

Structure 

Failure  at  T-t-43  sec. 

N 

03/08/60 

10 

1 

UK 

UK 

UK 

UK 

04/08/60 

12 

1 

UK 

UK 

UK 

UK 

0//01/60 

18 

5 

1 

Propulsion 

Failure  at  stage  1  hydraulics 

Y 

07/28/60 

19 

0 

1 

Propulsion 

Stage  1  premature  shutdown 

UK 

08/10/60 

20 

0 

UK 

UK 

UK 

UK 

09/29/60 

23 

2 

UK 

UK 

UK 

UK 

12/03/60 

26 

2 

1 

UK 

Vehicle  destroyed 

UK 

12/20/60 

27 

0 

2 

Propulsion 

No  stage  II  ignition 

UK 

01/20/61 

28 

0 

2 

Propulsion 

No  stage  11  ignition 

UK 

03/02/61 

31 

2 

2 

UK 

Premature  stage  II  shutdown 

UK 

03/31/61 

33 

1 

1 

UK 

Premature  stage  1  shutdown 

UK 

06/23/61 

36 

2 

2 

UK 

_ 

Premature  stage  II  shutdown 

_ 

UK 

_ 
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Date 

Failure 

Launch 

12/15/61 

49 

01/20/62 

50 

02/23/62 

52 

05/01/63 

60 

07/16/63 

61 

08/30/63 

G3 

12/08/64 

66 

01/14/65 

67 

03/05/65 

68 

Failure 

Failure 

Failure 

Stage 

System 

Description 

2 

Propulsion 

No  stage  II  ignition 

2 

Propulsion 

No  stage  II  ignition 

2 

Propulsion 

No  stage  II  ignition 

1 

Propulsion 

Failure  at  liftoff 

2 

Propulsion 

No  stage  II  ignition 

1 

Propulsion 

Gas  generator  shutdown 

2 

UK 

Stage  II  prel.  shutdown 

2 

Propulsion 

No  stage  II  ignition 

1 

Propulsion 

Propellant  depletion 

Vehicle  Name:  Titan  II 

Data  Collection  from:  62  to  76 

Total  Launch  Number  94 

Total  Failure  Number  16 


Date 

Failure 

Launch 

Failure 

Stage 

Failure 

System 

Failure 

Description 

Engine/Motor 
Failure  Y/N 

06/07/62 

2 

1 

2 

Propulsion 

Stage  II  gas  generator  oxidizer  injection 
blocked 

Y 

07/25/62 

4 

1 

2 

Propulsion 

Stage  II  fuel  pump  leak  downstream  of  TCV 
failure  due  to  combustion  instability 

Y 

12/06/62 

8 

3 

2 

Propulsion 

Stage  II  oxidizer  bootstrap  line  failure 

Y 

01/10/63 

10 

1 

2 

Propulsion 

Gas  generator  oxidizer  injector  blocked 

Y 

02/16/63 

13 

2 

1 

Separatbn 

Umbilicals  failed  to  disconnect  properly 

N 

04/19/63 

15 

1 

2 

Propulsion 

Bootstrap  premature  shutdown 

Y 

05/09/63 

17 

1 

2 

Propulsion 

OX  leak.  Premature  shutdown  of  stage  II 

10%  loss  of  stage  II  oxidizer  during  S  II  flight 

N 

05/29/63 

20 

2 

1 

Propulsion 

Subassembly  1  thrust  chamber  fuel  valve  leak 
occurred  at  engine  ignition 

Y 

06/20/63 

21 

0 

2 

Propulsion 

Gas  generator  oxidizer  injector  clogging 

Y 

04/30/65 

45 

23 

1 

Propulsion 

Subassembly  /  shutdown  abruptly  and  vehicle 
flight  continued  erratically,  Turbopump  failure 

Y 

06/14/65 

48 

2 

1 

Flight  Control 

Loss  of  vernier  nozzle 

N 

09/21/65 

54 

5 

2 

Electrical 

Premature  shutdown  of  stage  II,  bad  connector 
coupled  with  a  surge  in  the  AOS  power 

N 

11/30/65 

57 

2 

1 

Propulsion 

Fuel  leak,  possibly  at  cross-over  manifold  with 
resultant  thrust  vectoring 

Y 

12/22/65 

60 

2 

2 

Human 

(Guidance) 

Control  of  record  stage  lost  following  staging 
Probably  due  to  technician  reading  wrong  scale 

N 

05/24/66 

67 

6 

1 

SeparatKsn 

No  r/v  Separation 

N 
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Date 

Failure 

Launch 

04/12''67 

69 

Failure 

- 1 

Failure 

r 

Failure 

Engine/Motor 

Stage 

System 

Description 

Failure  Y/N 

2 

Flight  Control 

Stage  II  yaw  rata  gyro 

N 

Vehicle  Name:  Titan  III 

Data  Collection  from;  64  to  87 

Total  Launch  Number;  137 

Total  Failure  Number;  1 1 


03/25/78  110 


Failure 

System 

Failure 

Description 

Propulsion 

Premature  transtage  cutoff,  Pressure  system 
failure 

Propulsion 

Propellant  freezing  in  stage  III  engine  bi-prop 
valve  engine  failed  to  shutdown 

Flight  Control 

ACS  engines  failed  to  shutdown  after  vernier 
burn  loss  of  attitude  control 

Structure 

P/L  fairing  failure  during  SRM  flight 

Propulsion 

Stage  II  engir/'  thrust  dropped  to  1/2  nominal 
gross  contamination  on  Martin  side  of  interface 

Guidance 

IGS-IMU  failure,  The  electron''*  'jspension  of 
the  IMU  shorted  out 

Propulsion 

Centaur  stage  failed  to  start  after  separation, 
failure  of  LO^  boost  pump 

Guidance 

IMU  failed.  Internally  shorted  transistor 

Propulsion 

Engine  failed  to  shutdown  on  command  burned 
to  completion,  hard  contaminant  in  fuel  valve 

Propulsion 

Low  velocity  at  stage  11  shutdown 

Propulsion 

Turbine  drive  hydraulic  pump  failure  after 
ignlion 

Engine/Motor 
Failure  Y/N 


Vehicle  Name:  Titan  34D 

Data  Collection  froin:  82  to  87 

Total  Launch  Nun'ber;  11 

Total  Failure  Number:  2 


Date 

Failure 

Launch 

Success 

Run 

08/28/85 

8 

7 

04-18/86 

9 

0 

Failure 

Failure 

System 

Description 

Propulsion 

Stage  1  engine  shutdown  prematurety-massive 

leak  shortly  after  ignition 

Propulsion 

Insulation/case  debond  vehicle  disintegrated 

at  T+8.764  the  first  exptosive  flash  was  noted 

Engine/Motor 
Failure  Y/N 


Vehicle  Name:  Atlas  A 

Data  Collection  from:  57  to  58 

Total  Launch  Number:  8 

Total  Failure  Number  5 


Date  Failure  Success  Failure  Failure 

Launch  Run  Stage  System 


Vehicle  Name: 

Atlas  B 

Data  Collection  from: 

58  to  59 

■ 

Total  Launch  Numben 

9 

Total  Failure  Number: 

4 

Vehicle  Name:  Atlas  C 

Data  Collection  from;  58  to  59 

Total  Launch  Number  6 

Total  Failure  Number  3 
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Vehicle  Name: 

Atlas  D 

Data  Collection  from: 

59  to  67 

Total  Launch  Number 

197 

Total  Failure  Number 

42 

Date 

Failure 

Launch 

04/14/59 

1 

1 

05/1 8/59 

2 

06/06/59 

3 

09/09/59 

6 

09/16/59 

8 

01/26/60 

19 

03/10/60 

23 

04/07/60 

24 

05/06/60 

26 

06/22/60 

30 

07/02/60 

1 

32 

07/22/60 

33 

07/29/60 

34 

09/1 2/60 

37 

09/29/60 

41 

Failure  Failure 
Stage  System 


Propulsion 


Propulsion 


Propulsion 


Electrical 


Failure 

Description 


Electrical  signal  to  initiate  separation  did  not 
reach  the  pyrotechnic  cartridges 


Propulsion  Hydraulic  failure 


Guidance 


Propulsion 


Propulsion 


Flight  Control 


Electrical 


Electrical 


Flight  Control 


Structure 


Propulsion 


Electrical 


Static  or  dynamic  loads,  higer  than  could  be 
predected,  rupture  of  LOX  tank 


Engine/Motor 
Failure  Y/N 


Vehicle  Name:  Atlas  D 

Data  Collection  from:  59  to  67 

Total  Launch  Number  197 

Total  Failure  Number  42 


Date  Failure  Success  Failure  Failure 

Launch  Run  Stage  System 


Failure 

Description 


10/12/60  43 


04/25/61  52 


09/09/61  57 


02/21/62  71 


07/22/62  6 


10/02/62  92 


Propulsion 


12/15/60  I  47  I  3  I  1  I  Structure  I  Rupture  in  the  missile  LOX  tank 


10/21/61  59  1  1/2  Guidance  1  roll  control  was  lost 


11/22/61  1/2  Flight  Control  I  Booster  pitch  control  bst 


12/22/61  65  3  2  Flight  Control  I  Sustainer  engine  failed  to  cutoff 


01/26/62  63  2  1/2  Guidance  I  Failure  of  Mod  111  G  Guidance  system 


Propulsion 


04/09/62  74  2  2  Electrical  Electrical  failure,  excess  altitude  and  under¬ 

velocity  condition 


2  2  Guidance  I  Failure  of  engine  burning  time 


Electrical 


1 2/1 7/62  98  5  1  Propulsion  Thrust  chamber  oscillation 


01/25/63  100  1 


03/09/63  104  3 


Structure 


Flight  Control 


Engine/Motor 
Failure  Y/N 


1  !2  Flight  Control  Unsatisfactory  due  to  a  failure  in  the  flight 
control  system 


1/2  Electrical  Failure  of  the  ground  power  umbilical  to  eject  N 
normally  at  liftoff 
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Vehicle  Name:  Atlas  D 

Data  Collection  from:  59  to  67 

Total  Launch  Numben  197 

Total  Failure  Number:  42 


Date 

Failure 

Launch 

Success 

Run 

Failure 

Stage 

03/15/63 

106 

1 

03/16/63 

107 

0 

06/1 2/63 

111 

3 

1/2 

09/06/63 

117 

5 

09/11/63 

118 

0 

10/07/63 

119 

0 

11/13/63 

123 

3 

01/21/65 

149 

25 

03/02/65 

153 

3 

1/2 

05/27/65 

159 

5 

1/2 

03/04/66 

175 

15 

1/2 

05/03/66 
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3 

UK 

Failure 

System 


Propulsion 


Failure 

Description 


Hydraulic  failure 


Flight  Control 


Propulsion 


Booster  hydraulic  accumulater  failure, 
Exploded  just  after  launch 


Propulsion 


Hydraulic  failure 


Propulsion 


Propulsion 


Propulsion 


Hydraulic  failure 


Propulsion 


Injection  failure,  no  separation 


Propulsion 


Stage  failed  due  to  loss  of  thrust 


Propulsion 


Booster  exploded 


Flight  Control 


Failure  of  sustainer  low  pressure  hydraulic 
system  at  booster  jettison 


UK 


UK 


Vehicle  Name:  Atlas  E 

Data  Collection  from:  60  to  88 

Total  Launch  Number:  49 

Total  Failure  Numben  18 


Date 

Failure 

Launch 

Success 

Run 

Failure 

Stage 

Failure 

System 

Failure 

Description 

Engine/Motor 
Failure  Y/N 

10/11/60 

1 

0 

1/2 

Guidance 

Nitrogen  control-gas  was  broken  off.  causing 
control-gas  depletion 

N 

11/29/60 

2 

0 

1 

Propulsion 

Loss  of  sustainer  engine  hydraulic  pressure 

Y 

01/24/61 

3 

0 

1 

Flight  Control 

Lost  vehicle  stability 

N 

03/1 3/61 

5 

1 

1 

Flight  Control 

Premature  shutdown  of  the  sustainer  engine 
due  to  fuel  depletion 

N 

03/24/61 

6 

0 

1/2 

Flight  Control 

Control  bottle  helium  was  depleted  during 
boost  phase  and  the  booster  package  was  not 
jettisoned 

N 

06/07/61 

9 

2 

1/2 

Propulsion 

Combustion  instability  in  B1  thrust  chamber 

Y 

06/22/61 

10 

0 

1/2 

Flight  Control 

Excessive  pitchover  rate  during  boost  phase 

N 

09/08/61 

13 

2 

1 

Propulsion 

Sustainer  engine  shutdown  shortly  after  jettison 
of  the  booster  section 

Y 

11/10/61 

16 

2 

1 

Propulsion 

Sustainer  engine  shutdown  during  main  stage 
transition 

Y 

02/28/62 

20 

3 

UK 

Structure 

UK 

UK 

07/13/62 

21 

0 

1 

Propulsion 

LOX  leak  during  flight,  failure  of  slow-closing 
propellant  valve 

Y 

12/18/62 

22 

0 

1/2 

Propulsion 

Booster  engine  shutdown  due  to  loss  of  lube  oil 

Y 

07/26/63 

26 

3 

1 

Electrical 

Spurious  voltage  transients  on  range  safey 
cutoff  cirw  litry 

N 

09/25/63 

29 

2 

1 

Propulsion 

Sustainer  hydraulic  system  failed  at  staging 

Y 

02/12/64 

30 

0 

1 

Guidance 

Guidance  failure  in  premature  engine  cutoffs 

N 
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Vehicle  Name:  Atlas  E 

Data  Collection  from:  60  to  88 

Total  Launch  Number  49 

Total  Failure  Number  18 


Date 

Failure 

Launch 

08/27/64 

32 

12A)8/80 

36 

12/18/81 

37 

Failure 

Failure 

Failure 

Engine/Motor 

Stage 

System 

Description 

Failure  Y/N 

UK 

Guidance 

Radial  impact  error  BB  NM  short,  GD/A  did  not 
perform  an  analysis 

N 

Booster  engine  nol  2  shutdown  prematurely, 
due  to  toss  of  oil 


Propulsion  B1  GG  burn  through 
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Vehicle  Name:  Atlas  F 

Data  Collection  from:  61  to  81 

Total  Launch  Number  96 

Total  Failure  Number:  1 7 


Date 

Failure 

Launch 

Success 

Run 

Failure 

Stage 

— 

Failure 

System 

Failure 

Description 

Engine/Motor 
Failure  Y/N 

12/12/61 

3 

2 

1 

Guidance 

The  ARMA  guidance  system  computer  mal¬ 
functioned.  Engine  cutoff  4  sec  early 

N 

12/20/61 

4 

0 

1 

Propulsion 

Loss  of  sustainer  hydraulic  pump  inlet  pressure 

Y 

04/09/62 

5 

0 

1 

Propulsion 

The  sustainer  tox  turbopump  was  destroyed  by 
an  internal  overpressure 

Y 

08/10/62 

7 

1 

1 

Flight  Control 

Missile  failed  to  roll  to  the  planned  target 
azimuth 

N 

11/14/62 

12 

4 

1 

Guidance 

Guidance  computer  malfunctioned 

N 

03/23/63 

17 

4 

UK 

UK 

Missle  self-destructed  at  91  sec. 

JK 

10/03/63 

19 

1 

1/2 

Propulsion 

B1  Main  fuel  valve  failed  to  open 

Y 

10/28/63 

20 

0 

1 

Propulsion 

Sustainer  hydraulic  return  system  failed 

Y 

04/03/64 

23 

2 

1/2 

Propulsion 

Thrust  imbalance  due  to  B1  main  fuel  valve 
sticking 

Y 

08/08/66 

29 

5 

1/2 

Propulsion 

Abnormal  operation  of  B2  engine  caused  high 
fuel  and  low  LOX  usage,  partial  blockage  of 
the  B2  LOX  hiah  oressure  svstem 

Y 

10/11/66 

30 

0 

1/2 

Propulsion 

Fuel  starvation  of  B1  engine  due  to  malfunction 
of  B1  engine  fuel  prevalve 

Y 

10/27/67 

39 

8 

1/2 

Propulsion 

Loss  of  vehicle  stability  caused  by  small  leak  in 
booster  hydraulic  high  oressure  system 

Y 

05/03/68 

45 

5 

1 

Flight  Control 

Divergent  oscillations  of  booster  pitch  control 

N 

11/06/68 

52 

6 

1 

Propulsion 

Vernier  engine  hydraulic  pressure  lost  after 
SECO 

Y 

10/10/69 

58 

5 

4 

Propulsion 

Sustainer  and  vernier  engines  shutdown 
prematurely 

— 

Y 
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Vehicle  Name:  Atlas  F 

Data  Collection  from:  61  to  81 

Total  Launch  Number:  96 

Total  Failure  Number  1 7 


Date 

Failure 

Launch 

- 1 

Success 

Run 

Failure 

Stage 

Failure 

System 

Failure 

Description 

04/12/75 

80 

21 

1 

Propulsion 

Damaged  thrust  section  allowed  overheating 
and  premature  shutdown  of  the  sustainer  and 
vernier  enaines 

05/29/80 

95 

14 

1/2 

Propulsion 

81  er^gine  performance  was  79%  of  nominal 
and  injection  time  was  late 

Engine/Motor 
Failure  Y/N 
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Vehicle  Name:  Atlas  SLV 

Data  Collection  from:  67  to  83 

Total  Launch  Number  73 

Total  failure  Number  4 


Date 

Failure 

Launch 

Success 

Run 

1 1/30/70 

26 

25 

12/04/71 

30 

3 

02/20/75 

42 

11 

09,29/77 

52 

9 

Failure 

System 

Failure 

Description 

Engine/Motor 
Failure  Y/N 

Separation 

Nose  fairing  failure  to  jettison 

N 

Flight  Control 

Lost  attitude  control  E  pack 

N 

Electrical 

Electrical  disconnect  failure  during  Atlas  boost 
separatbn 

N 

Propulsion  |  Hot  gas  leak  in  the  booster  gas  generator 
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\ 


Vehicle  Name: 

Data  Collection  from: 
Total  Launch  Number 
Total  Failure  Number 


Allas  G 
84  to  87 

6 

1 


Vehicle  Name: 

Data  Collection  from: 
Total  Launch  Number; 
Total  Failure  Number; 


Allas  H 
83  to  87 
5 
0 


Date  Failure  Success  Failure  Failure 

Launch  Run  Stage  System 


Vehicle  Name: 

Data  Collection  from: 
Total  Launch  Number: 
Total  Failure  Number: 


Atlas'Centaur 
62  to  87 
67 
11 


Failure 

System 

- -  "  'I 

Failure 

Description 

Structure 

Centaur  upper  stage  structure  failure 

Propulsion 

Centaur  hydraulic  failure,  Loss  of  C^ 
hydraulic  power 

Propulsion 

Loss  of  Atlas  thrust  during  liftoff,  due  to  fuel 
starvation  of  booster  engines  stemming  from 
closure  of  fuel  prevelue 

Propulsion 

Centaur  restart  sequence  failure,  engine 
ignition  occurred  but  not  sustained  due  to  fuel 
deplation 

Propulsion 

Failure  of  boost  pump  H^Oj  supply  system 
centaur  didnl  achieve  its  second  main  engine 
start 

Separation 

Nose  fairing  failed  to  jettison  properly 

Flight  Control 

Centaur  pitch  control  tost 

Electrical 

Atlas  booster  section  electrical  disconnect 
failed  during  booster  jettison 

Propulsion 

Atlas  booster  engine  hot  gas  leak  failed  missior 

Propulsion 

Failure  occurred  at  A/C  Separation  a  liquid 
oxygen  tank  crack 

other 

Lightning  strike  failed  mission 
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Vehicle  Name:  Jupiter 

Data  Collection  from:  58  to  58 

Total  Launch  Number  6 

Total  Failure  Number  3 


Date 

Failure 

Launch 

Success 

Run 

Failure 

Stage 

Failure 

System 

Failure 

Description 

03/05/58 

2 

1 

4 

Propulsion 

4th  stage  failed  to  ignite 

08/28/58 

5 

2 

2 

Sepa''?tion 

Booster  burned  into  remaining  stage  upper 
stage  fired  in  wrong  direction 

10/23/58 

6 

0 

2 

Separation 

2nd  stage  failed  to  fire  premature  separation 

Vehicle  Name:  Juno 

Data  Collection  from:  58  to  61 

Total  Launch  Number  10 

Total  Failure  Number  5 


08/14/59 


03/23/60  6 


02/24/61  8 


05/24/61  10 


j 

Success 

Failure 

Failure 

Failure 

Run 

Stage 

System 

Description 

2 

1 

I 

UK 

Guidance 

Guidance  failed,  destroyed  by  RSO 

0 

1 

Propulsion 

Booster  fuel  depletion 

1 

3 

UK 

Ignition  malfunction 

1 

2 

UK 

2nd  stage  malfunction 

1 

2 

UK 

2nd  stage  failed  to  ignite 

Engine/Motor 
Failure  Y/N 
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Vehicle  Name;  Saturn  I 

Data  Collection  from:  62  to  65 

Total  Launch  Number  10 

Total  Failure  Number  0 
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Vehicle  Name,  Saturn  IB 

Data  Collection  from;  66  to  75 

Total  Launch  Number;  9 

Total  raiiure  Number  0 


Date 

Failure 

Success 

Failure 

Failure 

Launch 

Run 

Stage 

System 

Vehicle  Name:  Saturn  V 

Data  Collection  from:  67  to  73 

Total  Launch  Number:  13 

Total  Failure  Numben  1 


Date 

Failure 

Launch 

04/04/68 

2 

Failure 

Failure 

Failure 

Engine/Motor 

Stage 

System 

Description 

Failure  Y/N 

2  Propulsion 

3 


Second  stage  engine  malfunction 
Third  stage  failure  to  restart 


Vehicle  Name: 

Data  Collection  from: 
Total  Launch  Number: 
Total  Failure  Number 


Date  Failure 


Vanguard 
57  to  59 
11 
8 


12/06/57  1 


02/05/58 


04/28/58 


05/27/58 


06/26/58 


09/26/58 


04/14/59 


06/22/59  10 


Failure 

System 

Failure 

Description 

Propulsion 

First  stage  lost  thrust,  exploded  after  2  second 

Flight  Control 

First  stage  control  system  malfunction  after 

57  sec 

Propulsion 

Bad  2nd  stage  shutdown  preventing  3rd  stage 
firing 

Flight  Control 

Improper  3rd  stage  trajectory  loss  of  attitude 
control 

UK 

Early  2nd  stage  shutdown  prevented  3rd  stage 
firing 

UK 

Below  minimum  2nd  stage  performance 
prevented  orbit 

Guidance 

Loss  of  2nd  stage  pitch  control 

Propulsion 

Low  tank  pressures  after  2nd  stage  ignition 
caused  instability 

Engine/Motor 
Failure  Y/N 
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Vehicle  Name;  Scout 

Data  Collection  from:  60  to  88 

Total  Launch  Numben  110 

Total  Failure  Numben  1 4 


1  ' 

Date 

Failure 

Launch 

12/04/60 

3 

06/30/61 

5 

08/25/61 

6 

1 1/01/61 

8 

04/26/62 

11 

05/23/62 

12 

04/05/63 

18 

04/26/63 

19 

07/20/63 

23 

09/27/63 

24 

06/25/64 

28 

01/31/67 

51 

05/29/67' 

56 

12/J5/75 

94 

Failure 

System 

Failure 

Description 

Electrical 

Failed  to  ignite:  Caused  by  wire  break  or 
disconnected  power  input 

Propulsion 

Improper  venting  causing  ignition  leads  to  be 
severed 

Separation 

Diaphragm  separation  system  failure 

Guidance 

Guidance  failure  destroyed  by  RSO  after 

30  sec 

Guidance 

Control  was  tost  due  to  H^Oj  not  being  availablf 

UK 

2nd  stage  shock  input  all  three  axes  0.29  sec 
alter  ignition 

Flight  Control 

3rd  stage  reaction  control  system  failure 

Electrical 

short  circuit  in  the  destruct  system,  attitude 
control  was  lost 

Propulsion 

stage  1  engine  nozzle  failure 

Flight  control 

Pitch  motor  failure,  toss  of  vehicle  control 

Electrical 

Linear  shaped  destruct  charge  was  ignited  by 
an  unplanned  electrical  input 

Propulsion 

Motor  graphite  nozzle  insert  resulted  in  rupture 
of  the  motor  case 

Propulsion 

Failure  of  motor  caused  by  unstable  chumber 
pressure 

Propulsion 

3rd  stage  nozzle  failure 

Engine/Motor 
Failure  Y/N 
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Vehicle  Name:  Space  Shuttle 

Data  Collection  from:  81  to  88 

Total  Launch  Number  26 

Total  Failure  Number  1 


Date 

Failure 

Failure 

Failure 

Failure 

Launch 

■ 

Stage 

System 

Description 

01/28/86 

25 

24 

0 

Propulsion 

Vehicle  exploded  73  sec.  after  launch-SRM 
O-ring  failure 

